All of lore.kernel.org
 help / color / mirror / Atom feed
* ipset nethash with cidr 32
@ 2009-06-01  5:11 Victor Safronov
  2009-06-02  8:44 ` Jozsef Kadlecsik
  0 siblings, 1 reply; 4+ messages in thread
From: Victor Safronov @ 2009-06-01  5:11 UTC (permalink / raw)
  To: netfilter

Hi.
What type of set should I use in ipset if i want to store in set both ip 
addresses and networks (with different prefixes)?
nethash could be useful for me, but there are no possibility to add /32 
network (single ip).

^ permalink raw reply	[flat|nested] 4+ messages in thread
* Re: ipset nethash with cidr 32
  2009-06-01  5:11 ipset nethash with cidr 32 Victor Safronov
@ 2009-06-02  8:44 ` Jozsef Kadlecsik
  2009-07-09 17:34   ` Victor A. Safronov
  0 siblings, 1 reply; 4+ messages in thread
From: Jozsef Kadlecsik @ 2009-06-02  8:44 UTC (permalink / raw)
  To: Victor Safronov; +Cc: netfilter

On Mon, 1 Jun 2009, Victor Safronov wrote:

> What type of set should I use in ipset if i want to store in set both ip
> addresses and networks (with different prefixes)?
> nethash could be useful for me, but there are no possibility to add /32
> network (single ip).

There's no such a set type. But you can maintain one set for the network 
addresses, one for the IP addresses and create a setlist type of 
set with both "subsets" as members.

Best regards,
Jozsef
-
E-mail  : kadlec@blackhole.kfki.hu, kadlec@mail.kfki.hu
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : KFKI Research Institute for Particle and Nuclear Physics
          H-1525 Budapest 114, POB. 49, Hungary

^ permalink raw reply	[flat|nested] 4+ messages in thread
* Re: ipset nethash with cidr 32
  2009-06-02  8:44 ` Jozsef Kadlecsik
@ 2009-07-09 17:34   ` Victor A. Safronov
  2009-07-10  8:49     ` Jozsef Kadlecsik
  0 siblings, 1 reply; 4+ messages in thread
From: Victor A. Safronov @ 2009-07-09 17:34 UTC (permalink / raw)
  To: Jozsef Kadlecsik; +Cc: netfilter

Jozsef Kadlecsik wrote:
> You can maintain one set for the network 
> addresses, one for the IP addresses and create a setlist type of 
> set with both "subsets" as members.
Now I have a trouble with 'setlist'.
For example:
[root@tomgate /]# ipset -N pool1 ipmap --network 192.168.0.0/24
[root@tomgate /]# ipset -A pool1 192.168.0.1
[root@tomgate /]# ipset -N myset setlist
[root@tomgate /]# ipset -A myset pool1
[root@tomgate /]# ipset -T pool1 192.168.0.1
192.168.0.1 is in set pool1.
[root@tomgate /]# ipset -T pool1 192.168.0.2
192.168.0.2 is NOT in set pool1.
[root@tomgate /]# ipset -T myset 192.168.0.1
192.168.0.1 is in set myset.
[root@tomgate /]# ipset -T myset 192.168.0.2
192.168.0.2 is in set myset.
[root@tomgate /]# ipset -T myset stupidgarbage
stupidgarbage is in set myset.

When testing my setlist I always get "is in set".
I suppose that is not normal.

^ permalink raw reply	[flat|nested] 4+ messages in thread
* Re: ipset nethash with cidr 32
  2009-07-09 17:34   ` Victor A. Safronov
@ 2009-07-10  8:49     ` Jozsef Kadlecsik
  0 siblings, 0 replies; 4+ messages in thread
From: Jozsef Kadlecsik @ 2009-07-10  8:49 UTC (permalink / raw)
  To: Victor A. Safronov; +Cc: netfilter

On Fri, 10 Jul 2009, Victor A. Safronov wrote:

> Jozsef Kadlecsik wrote:
> > You can maintain one set for the network addresses, one for the IP addresses
> > and create a setlist type of set with both "subsets" as members.
> Now I have a trouble with 'setlist'.
> For example:
> [root@tomgate /]# ipset -N pool1 ipmap --network 192.168.0.0/24
> [root@tomgate /]# ipset -A pool1 192.168.0.1
> [root@tomgate /]# ipset -N myset setlist
> [root@tomgate /]# ipset -A myset pool1
> [root@tomgate /]# ipset -T pool1 192.168.0.1
> 192.168.0.1 is in set pool1.
> [root@tomgate /]# ipset -T pool1 192.168.0.2
> 192.168.0.2 is NOT in set pool1.
> [root@tomgate /]# ipset -T myset 192.168.0.1
> 192.168.0.1 is in set myset.
> [root@tomgate /]# ipset -T myset 192.168.0.2
> 192.168.0.2 is in set myset.
> [root@tomgate /]# ipset -T myset stupidgarbage
> stupidgarbage is in set myset.
> 
> When testing my setlist I always get "is in set".
> I suppose that is not normal.

Good catch: the error code returned by the kernel is incorrect and 
misinterpreted by 'ipset'.

But I have to add that it is not possible to test the elements of a subset 
by 'ipset' currently: you can test the sets, but not the elements of the 
sets. I.e. one can issue

ipset -T setlist0 setname-from-setlist0

but 

ipset -T setlist0 element-from-setname-from-setlist0

won't work. The current syntax and protocol of ipset does not make 
possible such "fine-grained" testing from userspace.

Best regards,
Jozsef
-
E-mail  : kadlec@blackhole.kfki.hu, kadlec@mail.kfki.hu
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : KFKI Research Institute for Particle and Nuclear Physics
          H-1525 Budapest 114, POB. 49, Hungary

^ permalink raw reply	[flat|nested] 4+ messages in thread
end of thread, other threads:[~2009-07-10  8:49 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2009-06-01  5:11 ipset nethash with cidr 32 Victor Safronov
2009-06-02  8:44 ` Jozsef Kadlecsik
2009-07-09 17:34   ` Victor A. Safronov
2009-07-10  8:49     ` Jozsef Kadlecsik

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.