Multiple Address specification or match

Multiple Address specification or match

[Temp02]

Hello,

How difficult would it be to extend netfilter/iptables to allow multiple
source/destination address pairs (with negation) 'anded' together, as in -s
192.168.0.0/24 -s 10.0.0.0/8 -s ! 230.22.22.0/24. Or a match to do this same
thing?

regards,
Andrew.

Re: Multiple Address specification or match

[Swapnil Nagle]

>How difficult would it be to extend netfilter/iptables to allow multiple
>source/destination address pairs (with negation) 'anded' together, as in -s
>192.168.0.0/24 -s 10.0.0.0/8 -s ! 230.22.22.0/24. Or a match to do this same
>thing?
>  
>
How can the source address be "anded" ?
The source address cannot be both 192.168.0.1 and 10.0.0.1.

-- Swapnil

Re: Multiple Address specification or match

[Temp02]

No obviously a single source can't be both addresses, but the intent is to
allow a single rule to be used to match sources from both source ranges.

----- Original Message -----
From: "Swapnil Nagle" <swapsn@rediffmail.com>
To: "Temp02" <temp02@bluereef.com.au>
Cc: <netfilter-devel@lists.netfilter.org>
Sent: Thursday, September 30, 2004 4:42 PM
Subject: Re: Multiple Address specification or match


>
> >How difficult would it be to extend netfilter/iptables to allow multiple
> >source/destination address pairs (with negation) 'anded' together, as
in -s
> >192.168.0.0/24 -s 10.0.0.0/8 -s ! 230.22.22.0/24. Or a match to do this
same
> >thing?
> >
> >
> How can the source address be "anded" ?
> The source address cannot be both 192.168.0.1 and 10.0.0.1.
>
> -- Swapnil

Re: Multiple Address specification or match

[Henrik Nordstrom]

On Thu, 30 Sep 2004, Temp02 wrote:

> No obviously a single source can't be both addresses, but the intent is to
> allow a single rule to be used to match sources from both source ranges.

There is two ways for doing this

a) Using two rules, one per IP address.

b) Using an ippool/ipset storing the IP addresses.

Regards
Henrik

Re: Multiple Address specification or match

[Temp02]

thanks for your feedback but neither of these solutions are particularly
elegant.

The first (using more than one rule), requires the use of a lot more rules
than are really necessary, as an example, lets say that I wanted to prevent
access a range of subnets but allow everything else. Ideally I should be
able to:

iptables -A PREROUTING -d ! 10.0.0.0/8 -d ! 192.168.1.0/24 -d !
172.16.0.0/16 -m whatever -j ACCEPT

instead I would need three explicit drop rules and then an allow everything
else rule. (assuming a default drop policy).

The problem with the IPset/pool options are that they match only on a range
of addresses, not specifically by source or destination, also they seem to
require the use of another userspace program to actually build the sets
which in itself complicates the process.

Is it hard to extend the source and destination match functions to accept
multiple arguments?

----- Original Message -----
From: "Henrik Nordstrom" <hno@marasystems.com>
To: "Temp02" <temp02@bluereef.com.au>
Cc: <netfilter-devel@lists.netfilter.org>; "Swapnil Nagle"
<swapsn@rediffmail.com>
Sent: Thursday, September 30, 2004 6:34 PM
Subject: Re: Multiple Address specification or match


> On Thu, 30 Sep 2004, Temp02 wrote:
>
> > No obviously a single source can't be both addresses, but the intent is
to
> > allow a single rule to be used to match sources from both source ranges.
>
> There is two ways for doing this
>
> a) Using two rules, one per IP address.
>
> b) Using an ippool/ipset storing the IP addresses.
>
> Regards
> Henrik
>

Re: Multiple Address specification or match

[Simon Lodal]

> Is it hard to extend the source and destination match functions to accept
> multiple arguments?

Yes, they are pretty wired into iptables. And I would worry about their 
performance.

But it should be easy to create a new match to do it. There is already 
multiport and mport. The equivalent for addresses should not be hard.


Simon

Re: Multiple Address specification or match

[Andrew Hall]

Yes you're right, I meant 'or'd not 'anded' together.

----- Original Message -----
From: "Swapnil Nagle" <swapsn@rediffmail.com>
To: "Temp02" <temp02@bluereef.com.au>
Cc: <netfilter-devel@lists.netfilter.org>
Sent: Thursday, September 30, 2004 4:42 PM
Subject: Re: Multiple Address specification or match


>
> >How difficult would it be to extend netfilter/iptables to allow multiple
> >source/destination address pairs (with negation) 'anded' together, as
in -s
> >192.168.0.0/24 -s 10.0.0.0/8 -s ! 230.22.22.0/24. Or a match to do this
same
> >thing?
> >
> >
> How can the source address be "anded" ?
> The source address cannot be both 192.168.0.1 and 10.0.0.1.
>
> -- Swapnil
>

Re: Multiple Address specification or match

[Temp02]

thanks for your feedback but neither of these solutions are particularly
elegant.

The first (using more than one rule), requires the use of a lot more rules
than are really necessary, as an example, lets say that I wanted to prevent
access a range of subnets but allow everything else. Ideally I should be
able to:

iptables -A PREROUTING -d ! 10.0.0.0/8 -d ! 192.168.1.0/24 -d !
172.16.0.0/16 -m whatever -j ACCEPT

instead I would need three explicit drop rules and then an allow everything
else rule. (assuming a default drop policy).

The problem with the IPset/pool options are that they match only on a range
of addresses, not specifically by source or destination, also they seem to
require the use of another userspace program to actually build the sets
which in itself complicates the process.

Is it hard to extend the source and destination match functions to accept
multiple arguments?


> ----- Original Message -----
> From: "Henrik Nordstrom" <hno@marasystems.com>
> To: "Temp02" <temp02@bluereef.com.au>
> Cc: <netfilter-devel@lists.netfilter.org>; "Swapnil Nagle"
> <swapsn@rediffmail.com>
> Sent: Thursday, September 30, 2004 6:34 PM
> Subject: Re: Multiple Address specification or match
>
>
> > On Thu, 30 Sep 2004, Temp02 wrote:
> >
> > > No obviously a single source can't be both addresses, but the intent
is
> to
> > > allow a single rule to be used to match sources from both source
ranges.
> >
> > There is two ways for doing this
> >
> > a) Using two rules, one per IP address.
> >
> > b) Using an ippool/ipset storing the IP addresses.
> >
> > Regards
> > Henrik
> >
>

Re: Multiple Address specification or match

[Eric Leblond]

[-- Attachment #1: Type: text/plain, Size: 431 bytes --]

On Thu, 2004-09-30 at 11:01, Temp02 wrote:
> thanks for your feedback but neither of these solutions are particularly
> elegant.

iptables/netfilter has to be efficient, rules generation script has to
be elegant. Having 3 rules is as efficient as your masked "or" rules if
it was coded and 3 separate rules are more simple than your global one
so in a way this is more elegant.

BR,
-- 
Eric Leblond <eric@inl.fr>
INL

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: Multiple Address specification or match

[Henrik Nordstrom]

On Thu, 30 Sep 2004, Eric Leblond wrote:

> iptables/netfilter has to be efficient, rules generation script has to
> be elegant. Having 3 rules is as efficient as your masked "or" rules if
> it was coded and 3 separate rules are more simple than your global one
> so in a way this is more elegant.

For hipac this is true, but not really when using iptables.

Regards
Henrik

Re: Multiple Address specification or match

[Henrik Nordstrom]

On Thu, 30 Sep 2004, Temp02 wrote:

> The problem with the IPset/pool options are that they match only on a range
> of addresses, not specifically by source or destination

Eh? They match specificaly on either source or destination.

> also they seem to require the use of another userspace program to 
> actually build the sets which in itself complicates the process.

True.

> Is it hard to extend the source and destination match functions to accept
> multiple arguments?

Yes and no.

It is not hard to make a custom match matching multiple IP addresses, but 
it would be restricted in the number of addresses you can match.

If you need to group very many addresses then ippool/ipset is the correct 
tool.

Regards
Henrik

Re: Multiple Address specification or match

[Temp02]

The ippool and ipset matches only support linux 2.4 not 2.6 unfortunately.
The iprange match would suit my needs but it only allows a single match as
well. What would I need to change in iptables to allow the match to be
called more than once, as in:

iptables -m iprange 10.0.0.0-10.255.255.255 -m iprange
172.16.0.0-172.16.255.255

is this an easy to add switch somewhere?

thanks,

----- Original Message -----
From: "Henrik Nordstrom" <hno@marasystems.com>
To: "Temp02" <temp02@bluereef.com.au>
Cc: <netfilter-devel@lists.netfilter.org>; "Swapnil Nagle"
<swapsn@rediffmail.com>
Sent: Thursday, September 30, 2004 9:38 PM
Subject: Re: Multiple Address specification or match


> On Thu, 30 Sep 2004, Temp02 wrote:
>
> > The problem with the IPset/pool options are that they match only on a
range
> > of addresses, not specifically by source or destination
>
> Eh? They match specificaly on either source or destination.
>
> > also they seem to require the use of another userspace program to
> > actually build the sets which in itself complicates the process.
>
> True.
>
> > Is it hard to extend the source and destination match functions to
accept
> > multiple arguments?
>
> Yes and no.
>
> It is not hard to make a custom match matching multiple IP addresses, but
> it would be restricted in the number of addresses you can match.
>
> If you need to group very many addresses then ippool/ipset is the correct
> tool.
>
> Regards
> Henrik
>

Re: Multiple Address specification or match

[Jozsef Kadlecsik]

On Fri, 1 Oct 2004, Temp02 wrote:

> The ippool and ipset matches only support linux 2.4 not 2.6 unfortunately.

I'm working on the rewriting of ipset, together with porting to 2.6.

> The iprange match would suit my needs but it only allows a single match as
> well. What would I need to change in iptables to allow the match to be
> called more than once, as in:
>
> iptables -m iprange 10.0.0.0-10.255.255.255 -m iprange
> 172.16.0.0-172.16.255.255
>
> is this an easy to add switch somewhere?

The basic problem is that iptables matches are AND-ed. In you example you
imply OR-ed matches.

Best regards,
Jozsef
-
E-mail  : kadlec@blackhole.kfki.hu, kadlec@sunserv.kfki.hu
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : KFKI Research Institute for Particle and Nuclear Physics
          H-1525 Budapest 114, POB. 49, Hungary

Re: Multiple Address specification or match

[Henrik Nordstrom]

On Fri, 1 Oct 2004, Temp02 wrote:

> iptables -m iprange 10.0.0.0-10.255.255.255 -m iprange
> 172.16.0.0-172.16.255.255
>
> is this an easy to add switch somewhere?

Should work fine, except that it will then be a AND (both ranges must 
match) so it does not make much sense..

Regards
Henrik