Fwd: ipset and counters

Fwd: ipset and counters

[Husnu Demir]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Hi,

I want to give a try for COUNTERS properties of IPSET. But I could not
manage it;

# ipset create COUNTERS bitmap:ip  counters
ipset v6.17: Unknown argument: `counters'
Try `ipset help' for more information.


# man ipset
..
..
   counters, packets, bytes
       All set types support the optional counters option when
creating a set. If the option is specified then the set is created
with packet and byte counters per element support. The packet and byte
 counters  are  initialized  to
       zero when the elements are (re-)added to the set, unless the
packet and byte counter values are explicitly specified by the packets
and bytes options. An example when an element is added to a set with
non-zero counter values:

              ipset create foo hash:ip counters

              ipset add foo 192.168.1.1 packets 42 bytes 1024

..


I could not set counters. How can I activate it?

I used ipset-20130422 BUILD. And;

# autogen.sh
# ./configure
# make
# make install
# make CONFIG_IP_SET_MAX=2048 modules
# make CONFIG_IP_SET_MAX=2048 modules_install

# ipset -V
ipset v6.17, protocol version: 6

There is a ipset v6.18 bu daily build says 6.17.


Please help.

Thanks in advance.

Husnu Demir.
Network.



-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with undefined - http://www.enigmail.net/

iQEcBAEBAgAGBQJRdTFDAAoJEISpBAM51qlEP1oH+wfBPOQLmmU8wD+EQ83fUx85
u62Rj0S189piWKNzc4Mb/TijHjDLelGuems7CMGvlqsxSBQQtltog8+15n/GmP3I
jeIGXjg4q638ax6+04q+zZwjIm7uF3axWUBuoAhEJgcf0bjjJVXg7QDJTdwWTgU0
jJVRK01NbdIT32PqmpLvlq0CtovtsOmwfv98ENVHqUPyiUjcJuzBh1SjMvZgFO6G
94tez2gevM0mRjz8Dq5J2nxzE6zlsQlGI7mQA7NHW84pTGAgeil2UG1SJV2+mlAL
m2GbOL5b2bUQrtNXdLV/00EMlYOj4nZ3vhzAd0rptDKV21SiabP8pVCeQlvXI9w=
=bLRy
-----END PGP SIGNATURE-----

Re: Fwd: ipset and counters

[Jozsef Kadlecsik]

On Mon, 22 Apr 2013, Husnu Demir wrote:

> I want to give a try for COUNTERS properties of IPSET. But I could not
> manage it;
> 
> # ipset create COUNTERS bitmap:ip  counters
> ipset v6.17: Unknown argument: `counters'
> Try `ipset help' for more information.

What does "ipset help bitmap:ip" says? I suspect you have multiple 
binaries at different paths.
  
> I used ipset-20130422 BUILD. And;
> 
> # autogen.sh
> # ./configure
> # make
> # make install
> # make CONFIG_IP_SET_MAX=2048 modules
> # make CONFIG_IP_SET_MAX=2048 modules_install
> 
> # ipset -V
> ipset v6.17, protocol version: 6
> 
> There is a ipset v6.18 bu daily build says 6.17.

6.18 is a bugfix release, without any new feature. The counters will be 
announced in 6.19, but the master branch of the git tree already has got 
it (without bumping the version number).

Best regards,
Jozsef
-
E-mail  : kadlec@blackhole.kfki.hu, kadlecsik.jozsef@wigner.mta.hu
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : Wigner Research Centre for Physics, Hungarian Academy of Sciences
          H-1525 Budapest 114, POB. 49, Hungary

Re: Fwd: ipset and counters

[Husnu Demir]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



On 22-04-2013 16:57, Jozsef Kadlecsik wrote:
> On Mon, 22 Apr 2013, Husnu Demir wrote:
> 
>> I want to give a try for COUNTERS properties of IPSET. But I
>> could not manage it;
>> 
>> # ipset create COUNTERS bitmap:ip  counters ipset v6.17: Unknown
>> argument: `counters' Try `ipset help' for more information.
> 
> What does "ipset help bitmap:ip" says? I suspect you have multiple
>  binaries at different paths.

# ipset help bitmap:ip
ipset v6.17

Usage: ipset [options] COMMAND


..

bitmap:ip type specific options:

create SETNAME bitmap:ip range IP/CIDR|FROM-TO
               [netmask CIDR] [timeout VALUE] [counters]
add    SETNAME IP|IP/CIDR|FROM-TO [timeout VALUE]
               [packets VALUE] [bytes VALUE]
del    SETNAME IP|IP/CIDR|FROM-TO
test   SETNAME IP

where IP, FROM and TO are IPv4 addresses (or hostnames),
      CIDR is a valid IPv4 CIDR prefix.

Type bitmap:ip supports family INET only.



hdemir.


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with undefined - http://www.enigmail.net/

iQEcBAEBAgAGBQJRdUMvAAoJEISpBAM51qlE6m0H/0gjbvn41sIYniv4MscakUsh
lPZ1qu6eqWBxHC1GZUqkVMCcE0/+XpL+8R3cp4SC9p1tpX9l46jPKipiKdKki/vx
QbOs/LaMniQtadkkAs5hnDCX9k40OE4m3SAQfpQG0Vf9MlYnedUsEbEe9Hq38Wc+
8wJrrEqGJywdfjsiVHiBqu1nQs51vQ14wos42KyoUiz0YHh20O91H0AxSZlhm6Mq
4UDj4SZKO9AVIz2KyPPIZhOq/vjvgkP0d7CX5mmDsyuZaNxc30RTNzNJ8ItgWNM9
sVdNRCFNtLUOxq8E/opbU/aCZvGgGbmYLGKeexdElL44koFVyHHyNRjHPAQhiSk=
=VGvw
-----END PGP SIGNATURE-----

Re: Fwd: ipset and counters

[Jozsef Kadlecsik]

On Mon, 22 Apr 2013, Husnu Demir wrote:

> On 22-04-2013 16:57, Jozsef Kadlecsik wrote:
> > On Mon, 22 Apr 2013, Husnu Demir wrote:
> > 
> >> I want to give a try for COUNTERS properties of IPSET. But I
> >> could not manage it;
> >> 
> >> # ipset create COUNTERS bitmap:ip  counters ipset v6.17: Unknown
> >> argument: `counters' Try `ipset help' for more information.
> > 
> > What does "ipset help bitmap:ip" says? I suspect you have multiple
> >  binaries at different paths.
> 
> # ipset help bitmap:ip
> ipset v6.17
> 
> Usage: ipset [options] COMMAND
> 
> 
> ..
> 
> bitmap:ip type specific options:
> 
> create SETNAME bitmap:ip range IP/CIDR|FROM-TO
>                [netmask CIDR] [timeout VALUE] [counters]

So the ipset binary does support counters. Then what is the output of 
"modinfo ip_set_bitmap_ip"? Also, if you had the previous ipset kernel 
modules loaded in, then just installing them won't unload them.

Best regards,
Jozsef
-
E-mail  : kadlec@blackhole.kfki.hu, kadlecsik.jozsef@wigner.mta.hu
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : Wigner Research Centre for Physics, Hungarian Academy of Sciences
          H-1525 Budapest 114, POB. 49, Hungary

Re: Fwd: ipset and counters

[hdemir]

Hi,

I first made "rmmod" then ipset create. I will try tmorrow again.


thanks.




:~# modinfo ip_set_bitmap_ip
filename:      
/lib/modules/3.8.7/kernel/net/netfilter/ipset/ip_set_bitmap_ip.ko
alias:          ip_set_bitmap:ip
description:    bitmap:ip type of IP sets, revisions 0-0
author:         Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
license:        GPL
depends:        ip_set
intree:         Y
vermagic:       3.8.7 SMP mod_unload modversions

Re: Fwd: ipset and counters

[tian fang]

Jozsef Kadlecsik <kadlec <at> blackhole.kfki.hu> writes:


> > create SETNAME bitmap:ip range IP/CIDR|FROM-TO
> >                [netmask CIDR] [timeout VALUE] [counters]
> 
> So the ipset binary does support counters. Then what is the output of 
> "modinfo ip_set_bitmap_ip"? Also, if you had the previous ipset kernel 
> modules loaded in, then just installing them won't unload them.
> 
> Best regards,
> Jozsef
> -
> E-mail  : kadlec <at> blackhole.kfki.hu, kadlecsik.jozsef <at> 
wigner.mta.hu
> PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
> Address : Wigner Research Centre for Physics, Hungarian Academy of 
Sciences
>           H-1525 Budapest 114, POB. 49, Hungary
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo <at> vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> 
> 


 Jozsef 
    I successfully built and executed ipset 6.19 ,but when I try to run this 
command, I failed.

iptables -t nat -A POSTROUTING -m set --match-set ipc src,dst -j MASQUERADE
iptables: No chain/target/match by that name.


could you please help me on this ?

appreciated!
tian

Re: Fwd: ipset and counters

[Jozsef Kadlecsik]

On Mon, 6 May 2013, tian fang wrote:

> Jozsef Kadlecsik <kadlec <at> blackhole.kfki.hu> writes:
> 
> > > create SETNAME bitmap:ip range IP/CIDR|FROM-TO
> > >                [netmask CIDR] [timeout VALUE] [counters]
> > 
> > So the ipset binary does support counters. Then what is the output of 
> > "modinfo ip_set_bitmap_ip"? Also, if you had the previous ipset kernel 
> > modules loaded in, then just installing them won't unload them.
>
>     I successfully built and executed ipset 6.19 ,but when I try to run this 
> command, I failed.
> 
> iptables -t nat -A POSTROUTING -m set --match-set ipc src,dst -j MASQUERADE
> iptables: No chain/target/match by that name.
> 
> could you please help me on this ?

[There's no ipset 6.19 yet.]

Did you install the kernel modules from the ipset package?

Best regards,
Jozsef
-
E-mail  : kadlec@blackhole.kfki.hu, kadlecsik.jozsef@wigner.mta.hu
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : Wigner Research Centre for Physics, Hungarian Academy of Sciences
          H-1525 Budapest 114, POB. 49, Hungary

RE: Fwd: ipset and counters

[tian fang]

-----Original Message-----
From: Jozsef Kadlecsik [mailto:kadlec@blackhole.kfki.hu] 
Sent: 2013Äê5ÔÂ6ÈÕ 21:41
To: tian fang
Cc: netfilter@vger.kernel.org
Subject: Re: Fwd: ipset and counters

On Mon, 6 May 2013, tian fang wrote:

> Jozsef Kadlecsik <kadlec <at> blackhole.kfki.hu> writes:
> 
> > > create SETNAME bitmap:ip range IP/CIDR|FROM-TO
> > >                [netmask CIDR] [timeout VALUE] [counters]
> > 
> > So the ipset binary does support counters. Then what is the output 
> > of "modinfo ip_set_bitmap_ip"? Also, if you had the previous ipset 
> > kernel modules loaded in, then just installing them won't unload them.
>
>     I successfully built and executed ipset 6.19 ,but when I try to 
> run this command, I failed.
> 
> iptables -t nat -A POSTROUTING -m set --match-set ipc src,dst -j 
> MASQUERADE
> iptables: No chain/target/match by that name.
> 
> could you please help me on this ?

[There's no ipset 6.19 yet.]

Did you install the kernel modules from the ipset package?

Best regards,
Jozsef
-
Thanks for your quick reply.
   I just follow your README file :make and make modules , then make install
& modules_install.

I want the counters features, so I git cloned the latest code.

Please help!
Best regards

RE: Fwd: ipset and counters

[tian fang]

-----Original Message-----
From: Jozsef Kadlecsik [mailto:kadlec@blackhole.kfki.hu] 
Sent: 2013Äê5ÔÂ6ÈÕ 21:41
To: tian fang
Cc: netfilter@vger.kernel.org
Subject: Re: Fwd: ipset and counters

On Mon, 6 May 2013, tian fang wrote:

> Jozsef Kadlecsik <kadlec <at> blackhole.kfki.hu> writes:
> 
> > > create SETNAME bitmap:ip range IP/CIDR|FROM-TO
> > >                [netmask CIDR] [timeout VALUE] [counters]
> > 
> > So the ipset binary does support counters. Then what is the output 
> > of "modinfo ip_set_bitmap_ip"? Also, if you had the previous ipset 
> > kernel modules loaded in, then just installing them won't unload them.
>
>     I successfully built and executed ipset 6.19 ,but when I try to 
> run this command, I failed.
> 
> iptables -t nat -A POSTROUTING -m set --match-set ipc src,dst -j 
> MASQUERADE
> iptables: No chain/target/match by that name.
> 
> could you please help me on this ?

[There's no ipset 6.19 yet.]

Did you install the kernel modules from the ipset package?

Best regards,
Jozsef
-

Jozsef
I succeeded after I sudo cp xt_set.ko
/lib/modules/3.5.0-28-generic/kernel/net/netfilter/ . 
Thanks for your help.
But I am just alittlebit curious why can't I do it by make install.

Best regards 
tian
 


E-mail  : kadlec@blackhole.kfki.hu, kadlecsik.jozsef@wigner.mta.hu PGP key :
http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : Wigner Research Centre for Physics, Hungarian Academy of Sciences
          H-1525 Budapest 114, POB. 49, Hungary

RE: Fwd: ipset and counters

[Jozsef Kadlecsik]

On Mon, 6 May 2013, tian fang wrote:

> > > > create SETNAME bitmap:ip range IP/CIDR|FROM-TO
> > > >                [netmask CIDR] [timeout VALUE] [counters]
> > > 
> > > So the ipset binary does support counters. Then what is the output 
> > > of "modinfo ip_set_bitmap_ip"? Also, if you had the previous ipset 
> > > kernel modules loaded in, then just installing them won't unload them.
> >
> >     I successfully built and executed ipset 6.19 ,but when I try to 
> > run this command, I failed.
> > 
> > iptables -t nat -A POSTROUTING -m set --match-set ipc src,dst -j 
> > MASQUERADE
> > iptables: No chain/target/match by that name.
> > 
> > could you please help me on this ?
> 
> [There's no ipset 6.19 yet.]
> 
> I succeeded after I sudo cp xt_set.ko
> /lib/modules/3.5.0-28-generic/kernel/net/netfilter/ . 
> Thanks for your help.
> But I am just alittlebit curious why can't I do it by make install.

I suspect your "depmod" utility is not configured to process the 
/lib/modules/`uname -r`/extra/ directory, in which the modules are 
installed by the command "make modules_install".

It's strange. You're the second reporting such kind of problem.
What is your distribution and what's its version?

Best regards,
Jozsef
-
E-mail  : kadlec@blackhole.kfki.hu, kadlecsik.jozsef@wigner.mta.hu
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : Wigner Research Centre for Physics, Hungarian Academy of Sciences
          H-1525 Budapest 114, POB. 49, Hungary

RE: Fwd: ipset and counters

[hdemir]

> On Mon, 6 May 2013, tian fang wrote:
>
>> > > > create SETNAME bitmap:ip range IP/CIDR|FROM-TO
>> > > >                [netmask CIDR] [timeout VALUE] [counters]
>> > >
>> > > So the ipset binary does support counters. Then what is the output
>> > > of "modinfo ip_set_bitmap_ip"? Also, if you had the previous ipset
>> > > kernel modules loaded in, then just installing them won't unload
>> them.
>> >
>> >     I successfully built and executed ipset 6.19 ,but when I try to
>> > run this command, I failed.
>> >
>> > iptables -t nat -A POSTROUTING -m set --match-set ipc src,dst -j
>> > MASQUERADE
>> > iptables: No chain/target/match by that name.
>> >
>> > could you please help me on this ?
>>
>> [There's no ipset 6.19 yet.]
>>
>> I succeeded after I sudo cp xt_set.ko
>> /lib/modules/3.5.0-28-generic/kernel/net/netfilter/ .
>> Thanks for your help.
>> But I am just alittlebit curious why can't I do it by make install.
>
> I suspect your "depmod" utility is not configured to process the
> /lib/modules/`uname -r`/extra/ directory, in which the modules are
> installed by the command "make modules_install".
>
> It's strange. You're the second reporting such kind of problem.
> What is your distribution and what's its version?

Debian Squeeze. Custom made kernel.

hdemir,


>
> Best regards,
> Jozsef
> -
> E-mail  : kadlec@blackhole.kfki.hu, kadlecsik.jozsef@wigner.mta.hu
> PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
> Address : Wigner Research Centre for Physics, Hungarian Academy of
> Sciences
>           H-1525 Budapest 114, POB. 49, Hungary
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>

RE: Fwd: ipset and counters

[tian fang]

-----Original Message-----
From: Jozsef Kadlecsik [mailto:kadlec@blackhole.kfki.hu] 
Sent: 2013Äê5ÔÂ7ÈÕ 2:28
To: tian fang
Cc: netfilter@vger.kernel.org
Subject: RE: Fwd: ipset and counters

On Mon, 6 May 2013, tian fang wrote:

> > > > create SETNAME bitmap:ip range IP/CIDR|FROM-TO
> > > >                [netmask CIDR] [timeout VALUE] [counters]
> > > 
> > > So the ipset binary does support counters. Then what is the output 
> > > of "modinfo ip_set_bitmap_ip"? Also, if you had the previous ipset 
> > > kernel modules loaded in, then just installing them won't unload them.
> >
> >     I successfully built and executed ipset 6.19 ,but when I try to 
> > run this command, I failed.
> > 
> > iptables -t nat -A POSTROUTING -m set --match-set ipc src,dst -j 
> > MASQUERADE
> > iptables: No chain/target/match by that name.
> > 
> > could you please help me on this ?
> 
> [There's no ipset 6.19 yet.]
> 
> I succeeded after I sudo cp xt_set.ko
> /lib/modules/3.5.0-28-generic/kernel/net/netfilter/ . 
> Thanks for your help.
> But I am just alittlebit curious why can't I do it by make install.

I suspect your "depmod" utility is not configured to process the
/lib/modules/`uname -r`/extra/ directory, in which the modules are installed
by the command "make modules_install".

It's strange. You're the second reporting such kind of problem.
What is your distribution and what's its version?

Best regards,
Jozsef
-
Jozsef£¬
     I am using ubuntu 12.04 LTS.
And I got an issue ,I am sorry if I am wrong because I am a quite newbie.

I am confused of the "--match-set setname src,dst" .  it seems only the one
before the comma is functional. Please look at this .

I added an IP into the ipset sec,and set the iptables FORWARD Chain as "dst,
src" ,I guess this means dst OR src, but unfortunately ,my outgoing packages
was dropped.

If I set two separated lines ,it works.

Could you please help me on this?

Great appreciation !
Tian



tfang@gateway:~$ sudo iptables -nvL
Chain INPUT (policy ACCEPT 83 packets, 4308 bytes)
 pkts bytes target     prot opt in     out     source
destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source
destination
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0
0.0.0.0/0            match-set sec dst,src
    4   252 DROP       all  --  *      *       0.0.0.0/0
0.0.0.0/0

Chain OUTPUT (policy ACCEPT 114 packets, 14440 bytes)
 pkts bytes target     prot opt in     out     source
destination




E-mail  : kadlec@blackhole.kfki.hu, kadlecsik.jozsef@wigner.mta.hu PGP key :
http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : Wigner Research Centre for Physics, Hungarian Academy of Sciences
          H-1525 Budapest 114, POB. 49, Hungary

RE: Fwd: ipset and counters

[Jozsef Kadlecsik]

On Tue, 7 May 2013, tian fang wrote:

> I suspect your "depmod" utility is not configured to process the
> /lib/modules/`uname -r`/extra/ directory, in which the modules are installed
> by the command "make modules_install".
> 
> It's strange. You're the second reporting such kind of problem.
> What is your distribution and what's its version?
> 
>      I am using ubuntu 12.04 LTS.

I'll check this out: it should work without any extra effort.

> And I got an issue ,I am sorry if I am wrong because I am a quite newbie.
> 
> I am confused of the "--match-set setname src,dst" .  it seems only the one
> before the comma is functional. Please look at this .
> 
> I added an IP into the ipset sec,and set the iptables FORWARD Chain as "dst,
> src" ,I guess this means dst OR src, but unfortunately ,my outgoing packages
> was dropped.
> 
> If I set two separated lines ,it works.

If the dimension of the set is less than the direction parameters of the 
set match/SET target, then that's ignored.

With "--match-set setname src,dst" you instruct ipset that if the named 
set stores IP address and port number pairs, then get the source and 
destination parameters from the packets, say 192.168.1.1 as source 
address, TCP port 80 as destination, form the element 192.168.1.1,tcp:80 
and look it up in the given set.

You can't store and lookup IP address pairs, if that's what you want.

Best regards,
Jozsef
 
> tfang@gateway:~$ sudo iptables -nvL
> Chain INPUT (policy ACCEPT 83 packets, 4308 bytes)
>  pkts bytes target     prot opt in     out     source
> destination
> 
> Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
>  pkts bytes target     prot opt in     out     source
> destination
>     0     0 ACCEPT     all  --  *      *       0.0.0.0/0
> 0.0.0.0/0            match-set sec dst,src
>     4   252 DROP       all  --  *      *       0.0.0.0/0
> 0.0.0.0/0
> 
> Chain OUTPUT (policy ACCEPT 114 packets, 14440 bytes)
>  pkts bytes target     prot opt in     out     source
> destination
> 
> 
> 
> 
> E-mail  : kadlec@blackhole.kfki.hu, kadlecsik.jozsef@wigner.mta.hu PGP key :
> http://www.kfki.hu/~kadlec/pgp_public_key.txt
> Address : Wigner Research Centre for Physics, Hungarian Academy of Sciences
>           H-1525 Budapest 114, POB. 49, Hungary
> 
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> 

-
E-mail  : kadlec@blackhole.kfki.hu, kadlecsik.jozsef@wigner.mta.hu
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : Wigner Research Centre for Physics, Hungarian Academy of Sciences
          H-1525 Budapest 114, POB. 49, Hungary

RE: Fwd: ipset and counters

[tian fang]

> 
>      I am using ubuntu 12.04 LTS.

I'll check this out: it should work without any extra effort.

> And I got an issue ,I am sorry if I am wrong because I am a quite newbie.
> 
> I am confused of the "--match-set setname src,dst" .  it seems only 
> the one before the comma is functional. Please look at this .
> 
> I added an IP into the ipset sec,and set the iptables FORWARD Chain as 
> "dst, src" ,I guess this means dst OR src, but unfortunately ,my 
> outgoing packages was dropped.
> 
> If I set two separated lines ,it works.

If the dimension of the set is less than the direction parameters of the set
match/SET target, then that's ignored.

With "--match-set setname src,dst" you instruct ipset that if the named set
stores IP address and port number pairs, then get the source and destination
parameters from the packets, say 192.168.1.1 as source address, TCP port 80
as destination, form the element 192.168.1.1,tcp:80 and look it up in the
given set.

You can't store and lookup IP address pairs, if that's what you want.

Best regards,
Jozsef
 
Jozsef,
    Thanks much for your kindness. Seems I have to set two separated rules
for my purpose.
And I have the last question ,what is the maximum number of the ipset bytes
counters ?

RGS
tian

RE: Fwd: ipset and counters

[Jozsef Kadlecsik]

On Tue, 7 May 2013, tian fang wrote:

> And I have the last question ,what is the maximum number of the ipset bytes
> counters ?

You cannot have either byte or packet counters, only both. If a set is 
defined with counters, then all its elements are created with counters.

The limit is the physical RAM of your machine.

Best regards,
Jozsef
-
E-mail  : kadlec@blackhole.kfki.hu, kadlecsik.jozsef@wigner.mta.hu
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : Wigner Research Centre for Physics, Hungarian Academy of Sciences
          H-1525 Budapest 114, POB. 49, Hungary