ipset bitmap:port question

ipset bitmap:port question

[A L]

Hello,

I'm trying to understand if ipset "bitmap:port" should support protocol 
or not. Based on the name"bitmap:port" it should only store one value 
per row, and not tuple like "bitmap:ip,mac" does. However the examples 
in the manual suggests it should?

 From the man page at http://ipset.netfilter.org/ipset.man.html#lbBI

bitmap:port
/ADD-ENTRY/:= {/[proto:]port/|/[proto:]fromport/-/toport/}
Examples:
     ipset create foo bitmap:port range 0-1024
     ipset add foo 80
     ipset test foo 80
     ipset del foo udp:[macon-udp]-[tn-tl-w2]


However in my testing I can't see any entries with udp or tcp in the list.

     # ipset create test bitmap:port range 1000-65000 comment
     # ipset add test tcp:8080 comment "http proxy"
     # ipset add test udp:9999 comment "some udp service"


However when listing or exporting the "test" set, there is no protocol 
information.

     # ipset list test
     Name: test
     Type: bitmap:port
     Revision: 3
     Header: range 1000-65000 comment
     Size in memory: 520144
     References: 0
     Number of entries: 2
     Members:
     8080 comment "http proxy"
     9999 comment "some udp service"

     # ipset save test
     create test bitmap:port range 1000-65000 comment
     add test 8080 comment "http proxy"
     add test 9999 comment "some udp service

I am running:
ipset v7.1, protocol version: 7
kernel 5.3.10

Regards,
~A

Re: ipset bitmap:port question

[İbrahim Ercan]

I'm also wondering why port numbers are not interpreted with protocol
on bitmap:port while hash kind sets are.
I'd would glad to hear from a netfilter developer.
Regards.

--
İbrahim Ercan

On Thu, Nov 14, 2019 at 4:25 AM A L <mail@lechevalier.se> wrote:
>
> Hello,
>
> I'm trying to understand if ipset "bitmap:port" should support protocol
> or not. Based on the name"bitmap:port" it should only store one value
> per row, and not tuple like "bitmap:ip,mac" does. However the examples
> in the manual suggests it should?
>
>  ...

Re: ipset bitmap:port question

[İbrahim Ercan]

I'm also wondering why port numbers are not interpreted with protocol
on bitmap:port while hash kind sets are.
I'd would glad to hear from a netfilter developer.
Regards.

--
Ä°brahim Ercan

On Thu, Nov 14, 2019 at 4:25 AM A L <mail@lechevalier.se> wrote:
>
> Hello,
>
> I'm trying to understand if ipset "bitmap:port" should support protocol
> or not. Based on the name"bitmap:port" it should only store one value
> per row, and not tuple like "bitmap:ip,mac" does. However the examples
> in the manual suggests it should?
>
>  ...

Re: ipset bitmap:port question

[Kadlecsik József]

Hi,

On Thu, 14 Nov 2019, A L wrote:

> I'm trying to understand if ipset "bitmap:port" should support protocol 
> or not. Based on the name"bitmap:port" it should only store one value 
> per row, and not tuple like "bitmap:ip,mac" does. However the examples 
> in the manual suggests it should?

It's a documentation bug, bitmap:port type does not support protocol. 
I'm going to fix the documentation, both in the help and the manpage.

Best regards,
Jozsef
-
E-mail  : kadlec@blackhole.kfki.hu, kadlecsik.jozsef@wigner.mta.hu
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : Wigner Research Centre for Physics
          H-1525 Budapest 114, POB. 49, Hungary

Re: ipset bitmap:port question

[Kadlecsik József]

[-- Attachment #1: Type: text/plain, Size: 1101 bytes --]

Hi,

On Thu, 14 Nov 2019, İbrahim Ercan wrote:

> I'm also wondering why port numbers are not interpreted with protocol on 
> bitmap:port while hash kind sets are. I'd would glad to hear from a 
> netfilter developer.

The bitmap family is the earliest and the types kept their original 
functionality (apart from the extensions). In the case of the hash types 
it was easy to add the protocol number to the port while in the bitmap 
case it'd be not so simple.

Best regards,
Jozsef

> On Thu, Nov 14, 2019 at 4:25 AM A L <mail@lechevalier.se> wrote:
> >
> > Hello,
> >
> > I'm trying to understand if ipset "bitmap:port" should support protocol
> > or not. Based on the name"bitmap:port" it should only store one value
> > per row, and not tuple like "bitmap:ip,mac" does. However the examples
> > in the manual suggests it should?
> >
> >  ...
> 

-
E-mail  : kadlec@blackhole.kfki.hu, kadlecsik.jozsef@wigner.mta.hu
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : Wigner Research Centre for Physics
          H-1525 Budapest 114, POB. 49, Hungary

Re: ipset bitmap:port question

[Kadlecsik József]

[-- Attachment #1: Type: text/plain, Size: 1232 bytes --]

On Thu, 14 Nov 2019, Kadlecsik József wrote:

> On Thu, 14 Nov 2019, A L wrote:
> 
> > I'm trying to understand if ipset "bitmap:port" should support protocol 
> > or not. Based on the name"bitmap:port" it should only store one value 
> > per row, and not tuple like "bitmap:ip,mac" does. However the examples 
> > in the manual suggests it should?
> 
> It's a documentation bug, bitmap:port type does not support protocol. 
> I'm going to fix the documentation, both in the help and the manpage.

Checking the manpage it reads

bitmap:port
 ....
 ADD-ENTRY := { [proto:]port | [proto:]fromport-toport }
 ....
 proto only needs to be specified if a service name is used, and  that  
 name does not exist as a TCP service.

So you can type "ipset add foo udp:rlp" instead of "ipset add foo 39" - 
it's only a helper to avoid writing numbers.

The manpage does not claim that protocol is stored, but then it's best to 
explicitly state so in the documentation.

Best regards,
Jozsef
-
E-mail  : kadlec@blackhole.kfki.hu, kadlecsik.jozsef@wigner.mta.hu
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : Wigner Research Centre for Physics
          H-1525 Budapest 114, POB. 49, Hungary