On Thu, 24 Feb 2011, Mr Dash Four wrote: > Jozsef, you mentioned yesterday that ipset 5.x (and I presume 6.0+ also) does > not implement ip range 'readjustment' any more. If so, what happens when I > list the set below: > > ipset -F test > ipset -A test 10.1.1.0/24 > ipset -D test 10.1.1.12 > ipset -L test It depends on the type of the set. With hash:ip type it's simple # ipset -N test hash:ip # ipset -A test 10.1.1.0/24 # ipset -D test 10.1.1.12 # ipset -L test | grep 10.1.1.12 10.1.1.125 10.1.1.126 10.1.1.124 10.1.1.122 10.1.1.129 10.1.1.123 10.1.1.121 10.1.1.120 10.1.1.127 10.1.1.128 However with hash:net type # ipset -N test hash:net # ipset -A test 10.1.1.0/24 # ipset -D test 10.1.1.12 ipset v6.0: Element cannot be deleted from the set: it's not added and that's also right, because the hash types do not magically figure out overlapping ranges and collapse those or break up ranges into parts when deleting intersecting elements. The hash:*net* types could be extended to store non-matching elements, something like this: # ipset -N test hash:net # ipset -A test 10.1.1.0/24 # ipset -A test 10.1.1.12 --nomatch That way overlapping entries with different "access right" could be stored in a single set. But any coding needs time and testing. Best regards, Jozsef - E-mail : kadlec@xxxxxxxxxxxxxxxxx, kadlec@xxxxxxxxxxxx PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt Address : KFKI Research Institute for Particle and Nuclear Physics H-1525 Budapest 114, POB. 49, Hungary -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
