From: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
To: Rudolf_AT <Rudolf_AT.nf@aon.at>
Cc: netfilter-devel@vger.kernel.org
Subject: Re: IP sets: Suggestion: additional value match
Date: Mon, 3 Aug 2015 11:13:39 +0200 (CEST) [thread overview]
Message-ID: <alpine.DEB.2.10.1508031058510.26858@blackhole.kfki.hu> (raw)
In-Reply-To: <55BA42E9.70808@aon.at>
Hi,
On Thu, 30 Jul 2015, Rudolf_AT wrote:
> when working with IP sets, I came up with the following idea:
> adding a value match:
>
> -j SET --add-set set1 flag[,flag]=value
> --match-set set1 flag[,flag]=value
>
> Where value is an integer which is set in the added list element of the
> SET target. The value does not change the dimension of the list. The
> match is true only if the given value is equal to the value stored in
> the found element.
>
> Optionally adding an arbitrary value could help using IP sets in even
> more ways than now, for example easily tracking packets independently of
> other extensions or matches.
>
> For example, instead of using three sets to distinguish between three
> different states:
> -j SET --add-set state1set src,dst,dst
> -j SET --del-set state2set src,dst,dst
> -j SET --del-set state3set src,dst,dst
> one would write:
> -j SET --add-set aset1 src,dst,dst=<integer>
> Where <integer> resembles state1|state2|state3 then.
>
> Maybe you can think of more uses for this feature.
> As a further enhancement bit operators might be useful, too.
The stored value is not a dimension-like parameter, so it should not be
denoted/matched/updated as a dimension related one.
As far as I see it's quite similar to the "connmark/CONNMARK" match
and target. Why cannot that simply be used?
Best regards,
Jozsef
-
E-mail : kadlec@blackhole.kfki.hu, kadlecsik.jozsef@wigner.mta.hu
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : Wigner Research Centre for Physics, Hungarian Academy of Sciences
H-1525 Budapest 114, POB. 49, Hungary
next prev parent reply other threads:[~2015-08-03 9:13 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-07-30 15:29 IP sets: Suggestion: additional value match Rudolf_AT
2015-08-03 9:13 ` Jozsef Kadlecsik [this message]
2015-08-04 5:51 ` Rudolf_AT
2015-08-06 16:08 ` Rudolf_AT
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=alpine.DEB.2.10.1508031058510.26858@blackhole.kfki.hu \
--to=kadlec@blackhole.kfki.hu \
--cc=Rudolf_AT.nf@aon.at \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).