ipset is a tool to build up so called sets inside the Linux kernel.
I think I know what ipset is, thank you.
The
sets have any use in the kernel side only and there the kernel matches
single IP addresses and never whole networks.
OK, I don't have intimate knowledge of the ipset code and its internal
workings, but it obviously accepts IP ranges since if I have a hash:net
set containing 10.1.0.0/16 for example and then test for that exact IP
range (10.1.0.0/16) then the test returns true, so ipset obviously
processes this IP range and returns a good result. How is that done if
the kernel "matches single IP addresses and never whole networks" then?
One other thing: *if* ipset can only accept single IP addresses instead
of IP ranges (I don't believe this to be the case, but anyway, if it
does), then you could process a single IP address in a loop containing
the whole range to be tested (10.1.12.0/24 in my example - i.e. looping
from 10.1.12.0 until 10.1.12.255 inclusive) and bail out as soon as
there is no match, which would then return 'false' (i.e. no match). You
could even speed things up a bit by implementing batch processing of IP
ranges internally (via a single kernel APIs instead of looping via ipset
and calling the kernel API each time for a single IP address check).
I know this implementation is a bit crude, but since this testing takes
place in userspace then this delay won't matter *that* much. How doable
is that?
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
