Ipset counters question

Ipset counters question

[Jean-Philippe Menil]

Hi,

basiclly, i'm working on a captive portal, who add some rules in 
PRE/POSTROUTING mangle table when a user is fully authenticated.
$IPTABLES -t mangle -N OUT-AUTH
$IPTABLES -t mangle -A PREROUTING -j OUT-AUTH
$IPTABLES -t mangle -N IN-AUTH
$IPTABLES -t mangle -A POSTROUTING -j IN-AUTH

and the following rules are append when an user is authenticate:
$IPTABLES -t mangle -A OUT-AUTH -s $IP -m mac --mac-source $IP -j MARK 
--set-mark 10
$IPTABLES -t mangle -A IN-AUTH -d $IP -j ACCEPT

I dicovered ipset, and begin to play with it.
If my understand of is correct, i can add:

ipset -N TEST macipmap --network 192.168.100.0/24
$IPTABLES -t mangle -A IN-AUTH -m set --set TEST src,dst -j ACCEPT
$IPTABLES -t mangle -A OUT-AUTH -m set --set TEST src,dst -j MARK 
--set-mark 10

And when an user authenticate, add the following ipset:
ipset -A TEST 192.168.100.2,xx:xx:xx:xx:xx:xx

However, for some accountig reason, i used to check the iptables 
counters (-nvxL) by ip.
If i replace, my iptables rules by an ipset type, i cannot check 
counters anymore.

If i decide to use ipset, is there a way to check counters by ip, or 
something like that?

Regards.

-- 
Jean-Philippe Menil - Pôle réseau Service IRTS
DSI Université de Nantes
jean-philippe.menil@univ-nantes.fr
Tel : 02.53.48.49.27 - Fax : 02.53.48.49.09

Re: Ipset counters question

[Jozsef Kadlecsik]

On Tue, 29 Mar 2011, Jean-Philippe Menil wrote:

> basiclly, i'm working on a captive portal, who add some rules in
> PRE/POSTROUTING mangle table when a user is fully authenticated.
> $IPTABLES -t mangle -N OUT-AUTH
> $IPTABLES -t mangle -A PREROUTING -j OUT-AUTH
> $IPTABLES -t mangle -N IN-AUTH
> $IPTABLES -t mangle -A POSTROUTING -j IN-AUTH
> 
> and the following rules are append when an user is authenticate:
> $IPTABLES -t mangle -A OUT-AUTH -s $IP -m mac --mac-source $IP -j MARK
> --set-mark 10
> $IPTABLES -t mangle -A IN-AUTH -d $IP -j ACCEPT
> 
> I dicovered ipset, and begin to play with it.
> If my understand of is correct, i can add:
> 
> ipset -N TEST macipmap --network 192.168.100.0/24
> $IPTABLES -t mangle -A IN-AUTH -m set --set TEST src,dst -j ACCEPT
> $IPTABLES -t mangle -A OUT-AUTH -m set --set TEST src,dst -j MARK --set-mark
> 10

The set match for the bitmap:ip,mac (macipmap) type can check the *source* 
MAC address only. It is documented in the manpage.
 
Best regards,
Jozsef
-
E-mail  : kadlec@blackhole.kfki.hu, kadlec@mail.kfki.hu
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : KFKI Research Institute for Particle and Nuclear Physics
          H-1525 Budapest 114, POB. 49, Hungary

Re: Ipset counters question

[Jean-Philippe Menil]

Le 30/03/2011 22:17, Jozsef Kadlecsik a écrit :
> On Tue, 29 Mar 2011, Jean-Philippe Menil wrote:
>
>> basiclly, i'm working on a captive portal, who add some rules in
>> PRE/POSTROUTING mangle table when a user is fully authenticated.
>> $IPTABLES -t mangle -N OUT-AUTH
>> $IPTABLES -t mangle -A PREROUTING -j OUT-AUTH
>> $IPTABLES -t mangle -N IN-AUTH
>> $IPTABLES -t mangle -A POSTROUTING -j IN-AUTH
>>
>> and the following rules are append when an user is authenticate:
>> $IPTABLES -t mangle -A OUT-AUTH -s $IP -m mac --mac-source $IP -j MARK
>> --set-mark 10
>> $IPTABLES -t mangle -A IN-AUTH -d $IP -j ACCEPT
>>
>> I dicovered ipset, and begin to play with it.
>> If my understand of is correct, i can add:
>>
>> ipset -N TEST macipmap --network 192.168.100.0/24
>> $IPTABLES -t mangle -A IN-AUTH -m set --set TEST src,dst -j ACCEPT
>> $IPTABLES -t mangle -A OUT-AUTH -m set --set TEST src,dst -j MARK --set-mark
>> 10
> The set match for the bitmap:ip,mac (macipmap) type can check the *source*
> MAC address only. It is documented in the manpage.
>
> Best regards,
> Jozsef
> -
> E-mail  : kadlec@blackhole.kfki.hu, kadlec@mail.kfki.hu
> PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
> Address : KFKI Research Institute for Particle and Nuclear Physics
>            H-1525 Budapest 114, POB. 49, Hungary
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
Hi,

thanks to clarify this point.
I need to update my rules in consequence, and re-read the manpages.

What about counters?

Regards.

-- 
Jean-Philippe Menil - Pôle réseau Service IRTS
DSI Université de Nantes
jean-philippe.menil@univ-nantes.fr
Tel : 02.53.48.49.27 - Fax : 02.53.48.49.09

Re: Ipset counters question

[Jozsef Kadlecsik]

On Thu, 31 Mar 2011, Jean-Philippe Menil wrote:

> Le 30/03/2011 22:17, Jozsef Kadlecsik a ?crit :
> > On Tue, 29 Mar 2011, Jean-Philippe Menil wrote:
> > 
> > > basiclly, i'm working on a captive portal, who add some rules in
> > > PRE/POSTROUTING mangle table when a user is fully authenticated.
> > > $IPTABLES -t mangle -N OUT-AUTH
> > > $IPTABLES -t mangle -A PREROUTING -j OUT-AUTH
> > > $IPTABLES -t mangle -N IN-AUTH
> > > $IPTABLES -t mangle -A POSTROUTING -j IN-AUTH
> > > 
> > > and the following rules are append when an user is authenticate:
> > > $IPTABLES -t mangle -A OUT-AUTH -s $IP -m mac --mac-source $IP -j MARK
> > > --set-mark 10
> > > $IPTABLES -t mangle -A IN-AUTH -d $IP -j ACCEPT
> > > 
> > > I dicovered ipset, and begin to play with it.
> > > If my understand of is correct, i can add:
> > > 
> > > ipset -N TEST macipmap --network 192.168.100.0/24
> > > $IPTABLES -t mangle -A IN-AUTH -m set --set TEST src,dst -j ACCEPT
> > > $IPTABLES -t mangle -A OUT-AUTH -m set --set TEST src,dst -j MARK
> > > --set-mark
> > > 10
> > The set match for the bitmap:ip,mac (macipmap) type can check the *source*
> > MAC address only. It is documented in the manpage.
> > 
> thanks to clarify this point.
> I need to update my rules in consequence, and re-read the manpages.
> 
> What about counters?
>
> > However, for some accountig reason, i used to check the iptables 
> > counters  (-nvxL) by ip.
> > If i replace, my iptables rules by an ipset type, i cannot check 
> > counters anymore.

I don't really understand what do you mean by "cannot check the counters". 
Do you mean the counters are not updated? If there's no match due to the 
the src/dest MAC mixup, it won't.

The set match is quite ordinary from iptables point of view.

Best regards,
Jozsef
-
E-mail  : kadlec@blackhole.kfki.hu, kadlec@mail.kfki.hu
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : KFKI Research Institute for Particle and Nuclear Physics
          H-1525 Budapest 114, POB. 49, Hungary

Re: Ipset counters question

[Jean-Philippe Menil]

Le 31/03/2011 20:16, Jozsef Kadlecsik a écrit :
> On Thu, 31 Mar 2011, Jean-Philippe Menil wrote:
>
>> Le 30/03/2011 22:17, Jozsef Kadlecsik a ?crit :
>>> On Tue, 29 Mar 2011, Jean-Philippe Menil wrote:
>>>
>>>> basiclly, i'm working on a captive portal, who add some rules in
>>>> PRE/POSTROUTING mangle table when a user is fully authenticated.
>>>> $IPTABLES -t mangle -N OUT-AUTH
>>>> $IPTABLES -t mangle -A PREROUTING -j OUT-AUTH
>>>> $IPTABLES -t mangle -N IN-AUTH
>>>> $IPTABLES -t mangle -A POSTROUTING -j IN-AUTH
>>>>
>>>> and the following rules are append when an user is authenticate:
>>>> $IPTABLES -t mangle -A OUT-AUTH -s $IP -m mac --mac-source $IP -j MARK
>>>> --set-mark 10
>>>> $IPTABLES -t mangle -A IN-AUTH -d $IP -j ACCEPT
>>>>
>>>> I dicovered ipset, and begin to play with it.
>>>> If my understand of is correct, i can add:
>>>>
>>>> ipset -N TEST macipmap --network 192.168.100.0/24
>>>> $IPTABLES -t mangle -A IN-AUTH -m set --set TEST src,dst -j ACCEPT
>>>> $IPTABLES -t mangle -A OUT-AUTH -m set --set TEST src,dst -j MARK
>>>> --set-mark
>>>> 10
>>> The set match for the bitmap:ip,mac (macipmap) type can check the *source*
>>> MAC address only. It is documented in the manpage.
>>>
>> thanks to clarify this point.
>> I need to update my rules in consequence, and re-read the manpages.
>>
>> What about counters?
>>
>>> However, for some accountig reason, i used to check the iptables
>>> counters  (-nvxL) by ip.
>>> If i replace, my iptables rules by an ipset type, i cannot check
>>> counters anymore.
>
> I don't really understand what do you mean by "cannot check the counters".
> Do you mean the counters are not updated? If there's no match due to the
> the src/dest MAC mixup, it won't.
>
> The set match is quite ordinary from iptables point of view.
>
> Best regards,
> Jozsef
> -
> E-mail  : kadlec@blackhole.kfki.hu, kadlec@mail.kfki.hu
> PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
> Address : KFKI Research Institute for Particle and Nuclear Physics
>            H-1525 Budapest 114, POB. 49, Hungary

No, the rules are correct, and counters are updated correctly.

Let me explain, in iptables, i have this in a mangle chain:

Chain WD_BG_Outgoing (1 references)
  pkts bytes target     prot opt in     out     source 
destination
  238K   18M MARK       all  --  *      *       192.168.10.255 
0.0.0.0/0           MAC F0:7B:CB:8C:6C:6F MARK set 0x2
  196K   12M MARK       all  --  *      *       192.168.11.214 
0.0.0.0/0           MAC 00:25:00:4E:E3:B7 MARK set 0x2
  9436 3210K MARK       all  --  *      *       192.168.10.195 
0.0.0.0/0           MAC F0:7B:CB:52:3D:BE MARK set 0x2
  289K   68M MARK       all  --  *      *       192.168.11.211 
0.0.0.0/0           MAC 00:22:69:3D:4C:13 MARK set 0x2
  710K   40M MARK       all  --  *      *       192.168.10.34 
0.0.0.0/0           MAC C8:0A:A9:45:E5:3D MARK set 0x2
1605K   93M MARK       all  --  *      *       192.168.11.155 
0.0.0.0/0           MAC 00:26:6C:5A:0C:0A MARK set 0x2
81534   14M MARK       all  --  *      *       192.168.11.136 
0.0.0.0/0           MAC 00:0F:B0:D6:1D:19 MARK set 0x2
  420K   26M MARK       all  --  *      *       192.168.11.149 
0.0.0.0/0           MAC 00:24:21:44:FB:40 MARK set 0x2
13128 3437K MARK       all  --  *      *       192.168.10.186 
0.0.0.0/0           MAC 00:26:5E:27:8C:33 MARK set 0x2

--snip--

If i use ipset, with rules like these:
ipset -N WEBAUTHIP bitmap:ip,mac --network 192.168.10.0/24
iptables -t mangle -I WD_BG_Outgoing -m set --set WEBAUTHIP src -j ACCEPT

And add clients with ipset -A WEBAUTHIP ip,mac

If i list my mangle chain (WD_BG_Outgoing), i will see only the counters 
for the WEBAUTHIP match-set,
Chain WD_BG_Outgoing (0 references)
  pkts bytes target     prot opt in     out     source 
destination
     111M     475M ACCEPT     all  --  *      *       0.0.0.0/0 
    0.0.0.0/0           match-set WEBAUTHIP src

and i can't anymore check the counters by ip of my clients

Maybe i'm not so clear...

-- 
Jean-Philippe Menil - Pôle réseau Service IRTS
DSI Université de Nantes
jean-philippe.menil@univ-nantes.fr
Tel : 02.53.48.49.27 - Fax : 02.53.48.49.09

Re: Ipset counters question

[Jozsef Kadlecsik]

On Thu, 31 Mar 2011, Jean-Philippe Menil wrote:

> Let me explain, in iptables, i have this in a mangle chain:
> 
> Chain WD_BG_Outgoing (1 references)
>  pkts bytes target     prot opt in     out     source destination
>  238K   18M MARK       all  --  *      *       192.168.10.255 0.0.0.0/0
> MAC F0:7B:CB:8C:6C:6F MARK set 0x2
>  196K   12M MARK       all  --  *      *       192.168.11.214 0.0.0.0/0
> MAC 00:25:00:4E:E3:B7 MARK set 0x2
>  9436 3210K MARK       all  --  *      *       192.168.10.195 0.0.0.0/0
> MAC F0:7B:CB:52:3D:BE MARK set 0x2
>  289K   68M MARK       all  --  *      *       192.168.11.211 0.0.0.0/0
> MAC 00:22:69:3D:4C:13 MARK set 0x2
>  710K   40M MARK       all  --  *      *       192.168.10.34 0.0.0.0/0
> MAC C8:0A:A9:45:E5:3D MARK set 0x2
> 1605K   93M MARK       all  --  *      *       192.168.11.155 0.0.0.0/0
> MAC 00:26:6C:5A:0C:0A MARK set 0x2
> 81534   14M MARK       all  --  *      *       192.168.11.136 0.0.0.0/0
> MAC 00:0F:B0:D6:1D:19 MARK set 0x2
>  420K   26M MARK       all  --  *      *       192.168.11.149 0.0.0.0/0
> MAC 00:24:21:44:FB:40 MARK set 0x2
> 13128 3437K MARK       all  --  *      *       192.168.10.186 0.0.0.0/0
> MAC 00:26:5E:27:8C:33 MARK set 0x2
> 
> --snip--
> 
> If i use ipset, with rules like these:
> ipset -N WEBAUTHIP bitmap:ip,mac --network 192.168.10.0/24
> iptables -t mangle -I WD_BG_Outgoing -m set --set WEBAUTHIP src -j ACCEPT
> 
> And add clients with ipset -A WEBAUTHIP ip,mac
> 
> If i list my mangle chain (WD_BG_Outgoing), i will see only the counters for
> the WEBAUTHIP match-set,
> Chain WD_BG_Outgoing (0 references)
>  pkts bytes target     prot opt in     out     source destination
>     111M     475M ACCEPT     all  --  *      *       0.0.0.0/0    0.0.0.0/0
> match-set WEBAUTHIP src
> 
> and i can't anymore check the counters by ip of my clients

The rules are collapsed into a single rule, so there are no more 
individual counters. That's a tradeof and you have to decide which is more 
important: less rules or counters. 

Best regards,
Jozsef
-
E-mail  : kadlec@blackhole.kfki.hu, kadlec@mail.kfki.hu
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : KFKI Research Institute for Particle and Nuclear Physics
          H-1525 Budapest 114, POB. 49, Hungary

Re: Ipset counters question

[Jean-Philippe Menil]

Le 31/03/2011 21:24, Jozsef Kadlecsik a écrit :
> On Thu, 31 Mar 2011, Jean-Philippe Menil wrote:
>
>> Let me explain, in iptables, i have this in a mangle chain:
>>
>> Chain WD_BG_Outgoing (1 references)
>>   pkts bytes target     prot opt in     out     source destination
>>   238K   18M MARK       all  --  *      *       192.168.10.255 0.0.0.0/0
>> MAC F0:7B:CB:8C:6C:6F MARK set 0x2
>>   196K   12M MARK       all  --  *      *       192.168.11.214 0.0.0.0/0
>> MAC 00:25:00:4E:E3:B7 MARK set 0x2
>>   9436 3210K MARK       all  --  *      *       192.168.10.195 0.0.0.0/0
>> MAC F0:7B:CB:52:3D:BE MARK set 0x2
>>   289K   68M MARK       all  --  *      *       192.168.11.211 0.0.0.0/0
>> MAC 00:22:69:3D:4C:13 MARK set 0x2
>>   710K   40M MARK       all  --  *      *       192.168.10.34 0.0.0.0/0
>> MAC C8:0A:A9:45:E5:3D MARK set 0x2
>> 1605K   93M MARK       all  --  *      *       192.168.11.155 0.0.0.0/0
>> MAC 00:26:6C:5A:0C:0A MARK set 0x2
>> 81534   14M MARK       all  --  *      *       192.168.11.136 0.0.0.0/0
>> MAC 00:0F:B0:D6:1D:19 MARK set 0x2
>>   420K   26M MARK       all  --  *      *       192.168.11.149 0.0.0.0/0
>> MAC 00:24:21:44:FB:40 MARK set 0x2
>> 13128 3437K MARK       all  --  *      *       192.168.10.186 0.0.0.0/0
>> MAC 00:26:5E:27:8C:33 MARK set 0x2
>>
>> --snip--
>>
>> If i use ipset, with rules like these:
>> ipset -N WEBAUTHIP bitmap:ip,mac --network 192.168.10.0/24
>> iptables -t mangle -I WD_BG_Outgoing -m set --set WEBAUTHIP src -j ACCEPT
>>
>> And add clients with ipset -A WEBAUTHIP ip,mac
>>
>> If i list my mangle chain (WD_BG_Outgoing), i will see only the counters for
>> the WEBAUTHIP match-set,
>> Chain WD_BG_Outgoing (0 references)
>>   pkts bytes target     prot opt in     out     source destination
>>      111M     475M ACCEPT     all  --  *      *       0.0.0.0/0    0.0.0.0/0
>> match-set WEBAUTHIP src
>>
>> and i can't anymore check the counters by ip of my clients
>
> The rules are collapsed into a single rule, so there are no more
> individual counters. That's a tradeof and you have to decide which is more
> important: less rules or counters.
>
> Best regards,
> Jozsef
> -
> E-mail  : kadlec@blackhole.kfki.hu, kadlec@mail.kfki.hu
> PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
> Address : KFKI Research Institute for Particle and Nuclear Physics
>            H-1525 Budapest 114, POB. 49, Hungary
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html

That's what i tought, and i needed to be sure.

As i can miss the counters for the moment, i will kept my rules.
But as i'm very intereted by ipset, i will think to do otherwise.

Thanks a lot.

Regards.

-- 
Jean-Philippe Menil - Pôle réseau Service IRTS
DSI Université de Nantes
jean-philippe.menil@univ-nantes.fr
Tel : 02.53.48.49.27 - Fax : 02.53.48.49.09

Re: Ipset counters question

[Jean-Philippe Menil]

Le 31/03/2011 21:55, Jean-Philippe Menil a écrit :
>
> That's what i tought, and i needed to be sure.
>
> As i can miss the counters for the moment, i will kept my rules.
> But as i'm very intereted by ipset, i will think to do otherwise.
>
> Thanks a lot.
>
> Regards.
>
Hi,

I return to this story of counters.
Since, i don't really need some counters, but just to know when there is 
no more traffic for a user to decrement an idle timeout;
i decide to use ipset with the bitmap ip,mac and the timeout value.

However, the timeout doesn't do really what i need, i use a dirty hack 
to set the timeout counters every time a packet is matched;
so when there are no more packet, the timeout value begin to decrement.

I do this in the bitmap_ipmac_ttest function, i'm just wondering if it 
is the right place to do this?

Thanks for your advice.

Regards.

-- 
Jean-Philippe Menil - Pôle réseau Service IRTS
DSI Université de Nantes
jean-philippe.menil@univ-nantes.fr
Tel : 02.53.48.49.27 - Fax : 02.53.48.49.09

Re: Ipset counters question

[Jozsef Kadlecsik]

[-- Attachment #1: Type: TEXT/PLAIN, Size: 1254 bytes --]

Hi,

On Thu, 14 Apr 2011, Jean-Philippe Menil wrote:

> Le 31/03/2011 21:55, Jean-Philippe Menil a écrit :
> > 
> > That's what i tought, and i needed to be sure.
> > 
> > As i can miss the counters for the moment, i will kept my rules.
> > But as i'm very intereted by ipset, i will think to do otherwise.
> 
> I return to this story of counters.
> Since, i don't really need some counters, but just to know when there is no
> more traffic for a user to decrement an idle timeout;
> i decide to use ipset with the bitmap ip,mac and the timeout value.
> 
> However, the timeout doesn't do really what i need, i use a dirty hack to set
> the timeout counters every time a packet is matched;
> so when there are no more packet, the timeout value begin to decrement.
> 
> I do this in the bitmap_ipmac_ttest function, i'm just wondering if it is the
> right place to do this?

The proper way would be to reset the timeout value by the SET target,
which is not supported yet.

Best regards,
Jozsef
-
E-mail  : kadlec@blackhole.kfki.hu, kadlec@mail.kfki.hu
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : KFKI Research Institute for Particle and Nuclear Physics
          H-1525 Budapest 114, POB. 49, Hungary

Re: Ipset counters question

[Jean-Philippe Menil]

Le 15/04/2011 14:53, Jozsef Kadlecsik a écrit :
> Hi,
>
> On Thu, 14 Apr 2011, Jean-Philippe Menil wrote:
>
>> Le 31/03/2011 21:55, Jean-Philippe Menil a écrit :
>>> That's what i tought, and i needed to be sure.
>>>
>>> As i can miss the counters for the moment, i will kept my rules.
>>> But as i'm very intereted by ipset, i will think to do otherwise.
>> I return to this story of counters.
>> Since, i don't really need some counters, but just to know when there is no
>> more traffic for a user to decrement an idle timeout;
>> i decide to use ipset with the bitmap ip,mac and the timeout value.
>>
>> However, the timeout doesn't do really what i need, i use a dirty hack to set
>> the timeout counters every time a packet is matched;
>> so when there are no more packet, the timeout value begin to decrement.
>>
>> I do this in the bitmap_ipmac_ttest function, i'm just wondering if it is the
>> right place to do this?
> The proper way would be to reset the timeout value by the SET target,
> which is not supported yet.
>
> Best regards,
> Jozsef
> -
> E-mail  : kadlec@blackhole.kfki.hu, kadlec@mail.kfki.hu
> PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
> Address : KFKI Research Institute for Particle and Nuclear Physics
>            H-1525 Budapest 114, POB. 49, Hungary
Hi,

you mean, in the iptables userspace?

Why not, had a flag like "-idle" in ipset, and reset the timeout to 
defaults when the flag is set?

I'm just asking this, to be sure to do this properly, even if this 
request is margin.

Thanks for your advice

-- 
Jean-Philippe Menil - Pôle réseau Service IRTS
DSI Université de Nantes
jean-philippe.menil@univ-nantes.fr
Tel : 02.53.48.49.27 - Fax : 02.53.48.49.09

Re: Ipset counters question

[Jozsef Kadlecsik]

On Fri, 15 Apr 2011, Jean-Philippe Menil wrote:

> Le 15/04/2011 14:53, Jozsef Kadlecsik a ?crit :
> > 
> > On Thu, 14 Apr 2011, Jean-Philippe Menil wrote:
> > 
> > > Le 31/03/2011 21:55, Jean-Philippe Menil a ?crit :
> > > > That's what i tought, and i needed to be sure.
> > > > 
> > > > As i can miss the counters for the moment, i will kept my rules.
> > > > But as i'm very intereted by ipset, i will think to do otherwise.
> > > I return to this story of counters.
> > > Since, i don't really need some counters, but just to know when there is
> > > no
> > > more traffic for a user to decrement an idle timeout;
> > > i decide to use ipset with the bitmap ip,mac and the timeout value.
> > > 
> > > However, the timeout doesn't do really what i need, i use a dirty hack to
> > > set
> > > the timeout counters every time a packet is matched;
> > > so when there are no more packet, the timeout value begin to decrement.
> > > 
> > > I do this in the bitmap_ipmac_ttest function, i'm just wondering if it is
> > > the
> > > right place to do this?
> > The proper way would be to reset the timeout value by the SET target,
> > which is not supported yet.
> 
> you mean, in the iptables userspace?
> 
> Why not, had a flag like "-idle" in ipset, and reset the timeout to defaults
> when the flag is set?
> 
> I'm just asking this, to be sure to do this properly, even if this request is
> margin.

Both sides need to support the functionality: kernel and userspace.
Before weekend I'll release ipset 6.4 which will support it.

Best regards,
Jozsef
-
E-mail  : kadlec@blackhole.kfki.hu, kadlec@mail.kfki.hu
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : KFKI Research Institute for Particle and Nuclear Physics
          H-1525 Budapest 114, POB. 49, Hungary