From: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
To: Mr Dash Four <mr.dash.four@googlemail.com>
Cc: netfilter@vger.kernel.org, netfilter-devel@vger.kernel.org
Subject: Re: [ANNOUNCE] ipset 6.11 released
Date: Sun, 15 Jan 2012 21:21:52 +0100 (CET) [thread overview]
Message-ID: <alpine.DEB.2.00.1201152100050.29766@blackhole.kfki.hu> (raw)
In-Reply-To: <4F131551.2090608@googlemail.com>
On Sun, 15 Jan 2012, Mr Dash Four wrote:
> > > Any chance of fixing this bug soon:
> > >
> > > ~# ipset n test hash:net family inet timeout 0
> > > ~# ipset a test 10.1.0.0/16
> > > ~# ipset t test 10.1.12.12
> > > 10.1.12.12 is in set test.
> > > ~# ipset t test 10.1.12.0/24
> > > 10.1.12.0/24 is NOT in test.
> >
> > It's a feature which I'm not going to fix in any near future.
> >
> It isn't a "feature", it is a bug: 10.1.12.0/24 is within the 10.1.0.0/16
> range, so the above test should return true, not false. Either that, or ip
> range values should be restricted/excluded from the "test" command in the
> ipset userspace binary.
The "test" functionality is already overloaded. It has two "modes":
- you can test how the *kernel* sees the set, when checking a single IP
address
- you can check whether an *exact* element is added to the set or not.
As the first one overloads the second one, for hash:*net* types the second
mode is already "incomplete" in the sense that one cannot check whether a
given single IP address is already added to a hash:*net* type of set as an
exact element or not, because a network element may match it.
Your request means a third mode, which could lead to even more confusion,
because that way one could not check whether the tested address as
*element* is added to the set or not.
There's no magical element-aggregation in the hash:* types. That is, even
if 10.1.0.0/16 is added as an element, 10.1.0.0/24 can be added again as
an independent element: either it should be rejected (when the command was
issued without the --exist flag) or silently ignored (when was issued with
it). So even to consider your feature requests, it could come only after
implementing element-aggregation.
Best regards,
Jozsef
-
E-mail : kadlec@blackhole.kfki.hu, kadlecsik.jozsef@wigner.mta.hu
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : Wigner Research Centre for Physics, Hungarian Academy of Sciences
H-1525 Budapest 114, POB. 49, Hungary
next prev parent reply other threads:[~2012-01-15 20:21 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-01-14 14:52 [ANNOUNCE] ipset 6.11 released Jozsef Kadlecsik
2012-01-15 17:16 ` Mr Dash Four
2012-01-15 17:27 ` Jozsef Kadlecsik
2012-01-15 18:05 ` Mr Dash Four
2012-01-15 20:21 ` Jozsef Kadlecsik [this message]
2012-01-15 22:38 ` Mr Dash Four
2012-01-16 8:27 ` Jozsef Kadlecsik
2012-01-18 23:53 ` Mr Dash Four
2012-01-19 11:04 ` Jozsef Kadlecsik
2012-01-19 22:00 ` Mr Dash Four
2012-01-20 12:49 ` Jozsef Kadlecsik
2012-01-20 16:45 ` Mr Dash Four
2012-01-21 8:12 ` Amos Jeffries
2012-01-21 14:07 ` Jozsef Kadlecsik
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=alpine.DEB.2.00.1201152100050.29766@blackhole.kfki.hu \
--to=kadlec@blackhole.kfki.hu \
--cc=mr.dash.four@googlemail.com \
--cc=netfilter-devel@vger.kernel.org \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.