Hello, On Thu, 22 Jun 2023, Марк Коренберг wrote: > 1. In the latest ipset, adding "1.2.3.4/0,tcp:0,1.2.3.0/24" is not > allowed. I would like it to be allowed. It should match on any TCP > traffic that matches source and destination. > 2. The same for protocol number 0. I want "1.2.3.4/0,0:0,1.2.3.0/24" > to match all traffic that matches source and destination. > > These requirements come from the real cases, where an administrator adds > rules to control access to his networks. > > Is it possible to make such changes? TCP port 0 is not real thing, as > well as IP protocol 0. So we can give them special meaning in IPSets. > > although icmp:0 is not so clear in this case. Possibly allow to set -1 ? > as protocol or port for matching any ? Sorry, no. It could ony be implemented with the price of doubling the lookup time in the set. Why don't you simply use a hash:net,net type of set? Best regards, Jozsef - E-mail : kadlec@xxxxxxxxxxxxxxxxx, kadlecsik.jozsef@xxxxxxxxx PGP key : https://wigner.hu/~kadlec/pgp_public_key.txt Address : Wigner Research Centre for Physics H-1525 Budapest 114, POB. 49, Hungary
