nomatch in bitmap:* sets

nomatch in bitmap:* sets

[Mr Dash Four]

Currently only hash:* sets have the "nomatch" feature. Could this be 
extended to bitmap:* sets as well?

Re: nomatch in bitmap:* sets

[Jozsef Kadlecsik]

On Sun, 8 Apr 2012, Mr Dash Four wrote:

> Currently only hash:* sets have the "nomatch" feature. Could this be 
> extended to bitmap:* sets as well?

Actually, hash:*net* types have the "nomatch" feature. How would it make 
sense to add it to the bitmap:* types too?

Best regards,
Jozsef
-
E-mail  : kadlec@blackhole.kfki.hu, kadlecsik.jozsef@wigner.mta.hu
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : Wigner Research Centre for Physics, Hungarian Academy of Sciences
          H-1525 Budapest 114, POB. 49, Hungary

Re: nomatch in bitmap:* sets

[Mr Dash Four]

>> Currently only hash:* sets have the "nomatch" feature. Could this be 
>> extended to bitmap:* sets as well?
>>     
>
> Actually, hash:*net* types have the "nomatch" feature. How would it make 
> sense to add it to the bitmap:* types too?
>   
I was thinking along the lines of this:

1. bitmap:port - currently, if I want to exclude specific ports from a 
given range (say ports 21,80,119,443 from ports range 1-1023) then I 
have to do the following:
n test-ports bitmap:port range 1-1023 timeout 0
a test-ports 1-20
a test-ports 22-79
a test-ports 81-118
a test-ports 120-442
a test-ports 444-1023

Very inconvenient and it is not immediately obvious which ports have 
been excluded from that range. By doing something like this:
n test-ports bitmap:port range 1-1023 timeout 0
a test-ports 1-1023
a test-ports 21 nomatch
a test-ports 80 nomatch
a test-ports 119 nomatch
a test-ports 443 nomatch

it is much more clearer what is going on.

2. bitmap:ip - same as above really: If I want to exclude a particular 
IP addresses from a given range (say 10.1.1.3, 10.1.1.9 and 10.1.1.14 
from 10.1.1.0/24) I have to do almost the same as with bitmap:port set 
above:
n test-bitmap-net bitmap:ip range 10.1.1.0/24 timeout 0
a test-bitmap-net 10.1.1.0-10.1.1.2
a test-bitmap-net 10.1.1.4-10.1.1.8
a test-bitmap-net 10.1.1.10-10.1.1.13
a test-bitmap-net 10.1.1.15-10.1.1.255

Again, it is not immediately obvious what has been excluded. By doing 
something like the following:
n test-bitmap-net bitmap:ip range 10.1.1.0/24 timeout 0
a test-bitmap-net 10.1.1.0/24
a test-bitmap-net 10.1.1.3 nomatch
a test-bitmap-net 10.1.1.9 nomatch
a test-bitmap-net 10.1.1.14 nomatch

that it is much more clearer.

Re: nomatch in bitmap:* sets

[Jozsef Kadlecsik]

On Sun, 8 Apr 2012, Mr Dash Four wrote:

> > > Currently only hash:* sets have the "nomatch" feature. Could this be
> > > extended to bitmap:* sets as well?
> > >     
> > 
> > Actually, hash:*net* types have the "nomatch" feature. How would it make
> > sense to add it to the bitmap:* types too?
> >   
> I was thinking along the lines of this:
> 
> 1. bitmap:port - currently, if I want to exclude specific ports from a given
> range (say ports 21,80,119,443 from ports range 1-1023) then I have to do the
> following:
> n test-ports bitmap:port range 1-1023 timeout 0
> a test-ports 1-20
> a test-ports 22-79
> a test-ports 81-118
> a test-ports 120-442
> a test-ports 444-1023
> 
> Very inconvenient and it is not immediately obvious which ports have been
> excluded from that range. By doing something like this:
> n test-ports bitmap:port range 1-1023 timeout 0
> a test-ports 1-1023
> a test-ports 21 nomatch
> a test-ports 80 nomatch
> a test-ports 119 nomatch
> a test-ports 443 nomatch
> 
> it is much more clearer what is going on.

That's equivalent with

n test-ports bitmap:port range 1-1023 timeout 0
a test-ports 1-1023
d test-ports 21
d test-ports 80
d test-ports 119
d test-ports 443

Therefore I don't see the point of the "nomatch" flag for the bitmap:*
types.

Best regards,
Jozsef
-
E-mail  : kadlec@blackhole.kfki.hu, kadlecsik.jozsef@wigner.mta.hu
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : Wigner Research Centre for Physics, Hungarian Academy of Sciences
          H-1525 Budapest 114, POB. 49, Hungary

Re: nomatch in bitmap:* sets

[Mr Dash Four]

> That's equivalent with
>
> n test-ports bitmap:port range 1-1023 timeout 0
> a test-ports 1-1023
> d test-ports 21
> d test-ports 80
> d test-ports 119
> d test-ports 443
>   
It is indeed! That's something I did not know about! The "delete" 
command wasn't acceptable in ipset restore file before (in all honesty I 
did try this back in 4.x and gave up after it was rejected). Which 
version of ipset was this introduced into?

Re: nomatch in bitmap:* sets

[Jozsef Kadlecsik]

On Mon, 9 Apr 2012, Mr Dash Four wrote:

> > That's equivalent with
> > 
> > n test-ports bitmap:port range 1-1023 timeout 0
> > a test-ports 1-1023
> > d test-ports 21
> > d test-ports 80
> > d test-ports 119
> > d test-ports 443
> >   
> It is indeed! That's something I did not know about! The "delete" command
> wasn't acceptable in ipset restore file before (in all honesty I did try this
> back in 4.x and gave up after it was rejected). Which version of ipset was
> this introduced into?

That was introduced in 6.x (actually, in 5.x).

Every command is accepted in a restore file, except the information ones 
(help, list).

Best regards,
Jozsef
-
E-mail  : kadlec@blackhole.kfki.hu, kadlecsik.jozsef@wigner.mta.hu
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : Wigner Research Centre for Physics, Hungarian Academy of Sciences
          H-1525 Budapest 114, POB. 49, Hungary

Re: nomatch in bitmap:* sets

[Mr Dash Four]

> That was introduced in 6.x (actually, in 5.x).
>
> Every command is accepted in a restore file, except the information ones 
> (help, list).
>   
Thanks Jozsef, I am able to use delete, which suits me fine and does 
what I want it to.