netfilter-devel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
To: Rudolf_AT <Rudolf_AT.nf@aon.at>
Cc: netfilter-devel@vger.kernel.org
Subject: Re: IP sets: Suggestion: additional value match
Date: Mon, 3 Aug 2015 11:13:39 +0200 (CEST)	[thread overview]
Message-ID: <alpine.DEB.2.10.1508031058510.26858@blackhole.kfki.hu> (raw)
In-Reply-To: <55BA42E9.70808@aon.at>

Hi,

On Thu, 30 Jul 2015, Rudolf_AT wrote:

> when working with IP sets, I came up with the following idea:
> adding a value match:
> 
>  -j SET --add-set set1 flag[,flag]=value
>  --match-set set1 flag[,flag]=value
>
> Where value is an integer which is set in the added list element of the 
> SET target. The value does not change the dimension of the list. The 
> match is true only if the given value is equal to the value stored in 
> the found element.
> 
> Optionally adding an arbitrary value could help using IP sets in even 
> more ways than now, for example easily tracking packets independently of 
> other extensions or matches.
> 
> For example, instead of using three sets to distinguish between three
> different states:
>  -j SET --add-set state1set src,dst,dst
>  -j SET --del-set state2set src,dst,dst
>  -j SET --del-set state3set src,dst,dst
> one would write:
>  -j SET --add-set aset1 src,dst,dst=<integer>
> Where <integer> resembles state1|state2|state3 then.
>
> Maybe you can think of more uses for this feature.
> As a further enhancement bit operators might be useful, too.

The stored value is not a dimension-like parameter, so it should not be 
denoted/matched/updated as a dimension related one.

As far as I see it's quite similar to the "connmark/CONNMARK" match 
and target. Why cannot that simply be used?

Best regards,
Jozsef
-
E-mail  : kadlec@blackhole.kfki.hu, kadlecsik.jozsef@wigner.mta.hu
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : Wigner Research Centre for Physics, Hungarian Academy of Sciences
          H-1525 Budapest 114, POB. 49, Hungary

  reply	other threads:[~2015-08-03  9:13 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2015-07-30 15:29 IP sets: Suggestion: additional value match Rudolf_AT
2015-08-03  9:13 ` Jozsef Kadlecsik [this message]
2015-08-04  5:51   ` Rudolf_AT
2015-08-06 16:08     ` Rudolf_AT

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=alpine.DEB.2.10.1508031058510.26858@blackhole.kfki.hu \
    --to=kadlec@blackhole.kfki.hu \
    --cc=Rudolf_AT.nf@aon.at \
    --cc=netfilter-devel@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).