Simple question about ipset

Simple question about ipset

[Ming-Ching Tiew]

I have been reading ipset from http://ipset.netfilter.org/features.html
quite a few times but still do not understand what does it mean
by this :-

    iptables -A FORWARD -m set --set servers dst,dst -j ACCEPT

My question is why the flag is dst,dst ?

And similarly what is the significance if it is src,dst ?
What if it is src,dst,dst and so on ?

Regards

Re: Simple question about ipset

[Ming-Ching Tiew]

>I have been reading ipset from http://ipset.netfilter.org/features.html
>quite a few times but still do not understand what does it mean
>by this :-
>
>    iptables -A FORWARD -m set --set servers dst,dst -j ACCEPT
>
>My question is why the flag is dst,dst ?
>
>And similarly what is the significance if it is src,dst ?
>What if it is src,dst,dst and so on ?

Gosh I think something sudden sparked my mind, I think I understand it now.
The number of flags ties to the bindings, ie this example it is ip->port, 
then dst,dst would means check the destination ip, and destination port.
Had the flags be src,dst, then it is checking the source ip and destination port.

I hope my understanding is correct. Perhaps the docs should explain it more 
clearly.

Cheers. 

Re: Simple question about ipset

[Jozsef Kadlecsik]

On Wed, 20 Sep 2006, Ming-Ching Tiew wrote:

> >I have been reading ipset from http://ipset.netfilter.org/features.html
> >quite a few times but still do not understand what does it mean
> >by this :-
> >
> >    iptables -A FORWARD -m set --set servers dst,dst -j ACCEPT
> >
> >My question is why the flag is dst,dst ?
> >
> >And similarly what is the significance if it is src,dst ?
> >What if it is src,dst,dst and so on ?
>
> Gosh I think something sudden sparked my mind, I think I understand it now.
> The number of flags ties to the bindings, ie this example it is ip->port,
> then dst,dst would means check the destination ip, and destination port.
> Had the flags be src,dst, then it is checking the source ip and destination port.

Exactly. Also, if the set type itself store data pairs like in the case of
ipporthash, you have to define what kind of info from the packet must be
matched against the given set: (source or dest ip) and (source or dest)
port. I.e if set 'servers' is of type ipporthash, you should use

iptables -A FORWARD -m set --set servers dst,dst -j ACCEPT

to match all of your servers (IP addresses) and their service ports, if
the set is properly filled up.

> I hope my understanding is correct. Perhaps the docs should explain it more
> clearly.

Yes, the docs are terse. Patches against the docs are (also) always
welcomed.

Best regards,
Jozsef
-
E-mail  : kadlec@blackhole.kfki.hu, kadlec@sunserv.kfki.hu
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : KFKI Research Institute for Particle and Nuclear Physics
          H-1525 Budapest 114, POB. 49, Hungary

Re: Simple question about ipset

[Ming-Ching Tiew]

From: "Jozsef Kadlecsik" <kadlec@blackhole.kfki.hu>
> 
> > I hope my understanding is correct. Perhaps the docs should explain it more
> > clearly.
> 
> Yes, the docs are terse. Patches against the docs are (also) always
> welcomed.
> 

If my understanding is correct ( which I am still not very sure at this moment ),
perhaps may I suggest the syntax be changed such that only one flag is 
allowed ( and necessary ) and the value can be 'dst', 'src', or 'both' ?

  eg,
             iptables -A FORWARD -m set --set servers dst -j ACCEPT
             iptables -A FORWARD -m set --set servers src -j ACCEPT
             iptables -A FORWARD -m set --set servers both -j ACCEPT

                or if the keyword 'both' is left out, it is then implied :-
 
           iptables -A FORWARD -m set --set servers -j ACCEPT

The nature of relationship is that it will be hard to form a meaningful
relationship where the flags could be heterogeneous, so why don't
just implement a simplied syntax ?

Cheers