netfilter-devel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Rudolf_AT <Rudolf_AT.nf@aon.at>
To: netfilter-devel@vger.kernel.org
Subject: IP sets: Suggestion: additional value match
Date: Thu, 30 Jul 2015 17:29:45 +0200	[thread overview]
Message-ID: <55BA42E9.70808@aon.at> (raw)

Hi,

when working with IP sets, I came up with the following idea:
adding a value match:

  -j SET --add-set set1 flag[,flag]=value
  --match-set set1 flag[,flag]=value

Where value is an integer which is set in the added list element of the 
SET target. The value does not change the dimension of the list. The 
match is true only if the given value is equal to the value stored in 
the found element.

Optionally adding an arbitrary value could help using IP sets in even 
more ways than now, for example easily tracking packets independently of 
other extensions or matches.

For example, instead of using three sets to distinguish between three 
different states:
  -j SET --add-set state1set src,dst,dst
  -j SET --del-set state2set src,dst,dst
  -j SET --del-set state3set src,dst,dst
one would write:
  -j SET --add-set aset1 src,dst,dst=<integer>
Where <integer> resembles state1|state2|state3 then.

Maybe you can think of more uses for this feature.
As a further enhancement bit operators might be useful, too.

Best Regards,
Rudolf

             reply	other threads:[~2015-07-30 15:36 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2015-07-30 15:29 Rudolf_AT [this message]
2015-08-03  9:13 ` IP sets: Suggestion: additional value match Jozsef Kadlecsik
2015-08-04  5:51   ` Rudolf_AT
2015-08-06 16:08     ` Rudolf_AT

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=55BA42E9.70808@aon.at \
    --to=rudolf_at.nf@aon.at \
    --cc=netfilter-devel@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).