* ipset nethash with cidr 32
@ 2009-06-01 5:11 Victor Safronov
2009-06-02 8:44 ` Jozsef Kadlecsik
0 siblings, 1 reply; 4+ messages in thread
From: Victor Safronov @ 2009-06-01 5:11 UTC (permalink / raw)
To: netfilter
Hi.
What type of set should I use in ipset if i want to store in set both ip
addresses and networks (with different prefixes)?
nethash could be useful for me, but there are no possibility to add /32
network (single ip).
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: ipset nethash with cidr 32
2009-06-01 5:11 ipset nethash with cidr 32 Victor Safronov
@ 2009-06-02 8:44 ` Jozsef Kadlecsik
2009-07-09 17:34 ` Victor A. Safronov
0 siblings, 1 reply; 4+ messages in thread
From: Jozsef Kadlecsik @ 2009-06-02 8:44 UTC (permalink / raw)
To: Victor Safronov; +Cc: netfilter
On Mon, 1 Jun 2009, Victor Safronov wrote:
> What type of set should I use in ipset if i want to store in set both ip
> addresses and networks (with different prefixes)?
> nethash could be useful for me, but there are no possibility to add /32
> network (single ip).
There's no such a set type. But you can maintain one set for the network
addresses, one for the IP addresses and create a setlist type of
set with both "subsets" as members.
Best regards,
Jozsef
-
E-mail : kadlec@blackhole.kfki.hu, kadlec@mail.kfki.hu
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : KFKI Research Institute for Particle and Nuclear Physics
H-1525 Budapest 114, POB. 49, Hungary
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: ipset nethash with cidr 32
2009-06-02 8:44 ` Jozsef Kadlecsik
@ 2009-07-09 17:34 ` Victor A. Safronov
2009-07-10 8:49 ` Jozsef Kadlecsik
0 siblings, 1 reply; 4+ messages in thread
From: Victor A. Safronov @ 2009-07-09 17:34 UTC (permalink / raw)
To: Jozsef Kadlecsik; +Cc: netfilter
Jozsef Kadlecsik wrote:
> You can maintain one set for the network
> addresses, one for the IP addresses and create a setlist type of
> set with both "subsets" as members.
Now I have a trouble with 'setlist'.
For example:
[root@tomgate /]# ipset -N pool1 ipmap --network 192.168.0.0/24
[root@tomgate /]# ipset -A pool1 192.168.0.1
[root@tomgate /]# ipset -N myset setlist
[root@tomgate /]# ipset -A myset pool1
[root@tomgate /]# ipset -T pool1 192.168.0.1
192.168.0.1 is in set pool1.
[root@tomgate /]# ipset -T pool1 192.168.0.2
192.168.0.2 is NOT in set pool1.
[root@tomgate /]# ipset -T myset 192.168.0.1
192.168.0.1 is in set myset.
[root@tomgate /]# ipset -T myset 192.168.0.2
192.168.0.2 is in set myset.
[root@tomgate /]# ipset -T myset stupidgarbage
stupidgarbage is in set myset.
When testing my setlist I always get "is in set".
I suppose that is not normal.
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: ipset nethash with cidr 32
2009-07-09 17:34 ` Victor A. Safronov
@ 2009-07-10 8:49 ` Jozsef Kadlecsik
0 siblings, 0 replies; 4+ messages in thread
From: Jozsef Kadlecsik @ 2009-07-10 8:49 UTC (permalink / raw)
To: Victor A. Safronov; +Cc: netfilter
On Fri, 10 Jul 2009, Victor A. Safronov wrote:
> Jozsef Kadlecsik wrote:
> > You can maintain one set for the network addresses, one for the IP addresses
> > and create a setlist type of set with both "subsets" as members.
> Now I have a trouble with 'setlist'.
> For example:
> [root@tomgate /]# ipset -N pool1 ipmap --network 192.168.0.0/24
> [root@tomgate /]# ipset -A pool1 192.168.0.1
> [root@tomgate /]# ipset -N myset setlist
> [root@tomgate /]# ipset -A myset pool1
> [root@tomgate /]# ipset -T pool1 192.168.0.1
> 192.168.0.1 is in set pool1.
> [root@tomgate /]# ipset -T pool1 192.168.0.2
> 192.168.0.2 is NOT in set pool1.
> [root@tomgate /]# ipset -T myset 192.168.0.1
> 192.168.0.1 is in set myset.
> [root@tomgate /]# ipset -T myset 192.168.0.2
> 192.168.0.2 is in set myset.
> [root@tomgate /]# ipset -T myset stupidgarbage
> stupidgarbage is in set myset.
>
> When testing my setlist I always get "is in set".
> I suppose that is not normal.
Good catch: the error code returned by the kernel is incorrect and
misinterpreted by 'ipset'.
But I have to add that it is not possible to test the elements of a subset
by 'ipset' currently: you can test the sets, but not the elements of the
sets. I.e. one can issue
ipset -T setlist0 setname-from-setlist0
but
ipset -T setlist0 element-from-setname-from-setlist0
won't work. The current syntax and protocol of ipset does not make
possible such "fine-grained" testing from userspace.
Best regards,
Jozsef
-
E-mail : kadlec@blackhole.kfki.hu, kadlec@mail.kfki.hu
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : KFKI Research Institute for Particle and Nuclear Physics
H-1525 Budapest 114, POB. 49, Hungary
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2009-07-10 8:49 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2009-06-01 5:11 ipset nethash with cidr 32 Victor Safronov
2009-06-02 8:44 ` Jozsef Kadlecsik
2009-07-09 17:34 ` Victor A. Safronov
2009-07-10 8:49 ` Jozsef Kadlecsik
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.