Why is ipset nethash set type limited to /31?

Why is ipset nethash set type limited to /31?

[Menno Smits]

Hi all,

Is there a reason why the ipset's nethash set type can't be used with
single IPs (/32) as well as larger networks? I'd really like to be able
to use networks and IPs in the same set.

Regards,
Menno


Scanned by the NetBox from NetBox Blue
(http://netboxblue.com/)

Re: Why is ipset nethash set type limited to /31?

[Randy Grimshaw]

<><Randall Grimshaw
Room 203 Machinery Hall
Syracuse University
Syracuse, NY   13244
315-443-5779
rgrimsha@syr.edu
>>> Menno Smits <menno@netboxblue.com> 03/09/06 10:36 PM >>>
> Is there a reason why the ipset's nethash set type can't be used with
> single IPs (/32) as well as larger networks? I'd really like to be able
> to use networks and IPs in the same set.

you cannot have a legitimate network with only one address. you also need a network address (x.x.x.0) and a broadcast address (x.x.x.3) and two addresses for the communicating systems to use (x.x.x.1 and x.x.x.2)

Mircosoft windows and other OS's also enforce this so a /32 isn't practical.....   but...

I understand your idea though, I needed to define several nearly duplicate rules for NET and IP hashes in our gateway application. Fortunately the cost is minimal compared to the overall efficiency gained by using IPset. (A fabulous tool that needs to become mainstream).

<><Randy

Re: Why is ipset nethash set type limited to /31?

[Menno Smits]

Hi Randy,

Randy Grimshaw wrote:
> you cannot have a legitimate network with only one address. you also
> need a network address (x.x.x.0) and a broadcast address (x.x.x.3)
> and two addresses for the communicating systems to use (x.x.x.1 and
> x.x.x.2)
> 
> Mircosoft windows and other OS's also enforce this so a /32 isn't
> practical.....   but...
> 
> I understand your idea though, I needed to define several nearly
> duplicate rules for NET and IP hashes in our gateway application.
> Fortunately the cost is minimal compared to the overall efficiency
> gained by using IPset. (A fabulous tool that needs to become
> mainstream).

I understand networks, network addresses and broadcast addresses however
it would be useful to be able to match against both IP addresses and
networks with the one set. Why can't an IP address just be treated as a
/32 "network"?

The fact that you've had to work around te same limitation indicates
that I'm not the only one who could benefit from something like this. Is
there a technical reason why this isn't possible?

On a side note, I agree that IPset is fabulous and should be part of
mainline netfilter. It can greatly simplify otherwise complex firewall
configurations.

Menno



Scanned by the NetBox from NetBox Blue
(http://netboxblue.com/)

Re: Why is ipset nethash set type limited to /31?

[Jozsef Kadlecsik]

Hi,

On Fri, 10 Mar 2006, Menno Smits wrote:

> Is there a reason why the ipset's nethash set type can't be used with
> single IPs (/32) as well as larger networks? I'd really like to be able
> to use networks and IPs in the same set.

An IP(v4) address is a 32bit number. A network address consists of an IP
address and a mask value. In nethash the IP address *and* the mask
together are stored on 32bits. Therefore it is not possible to store plain
IP addresses in that type of sets.

Best regards,
Jozsef
-
E-mail  : kadlec@blackhole.kfki.hu, kadlec@sunserv.kfki.hu
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : KFKI Research Institute for Particle and Nuclear Physics
          H-1525 Budapest 114, POB. 49, Hungary

Re: Why is ipset nethash set type limited to /31?

[Jozsef Kadlecsik]

Hi,

On Fri, 10 Mar 2006, Menno Smits wrote:

> On a side note, I agree that IPset is fabulous and should be part of
> mainline netfilter. It can greatly simplify otherwise complex firewall
> configurations.

Thanks ;-). Currently we are working on rewriting some part of ipset
(kernel-userspace communication are converted to netlink) and improving
the hash types for the next release.

The 'binding' as a hard to grasp and not effective enough feature will go,
instead of that there will be some new set types. I wonder wether anyone
uses binding at all...

Best regards,
Jozsef
-
E-mail  : kadlec@blackhole.kfki.hu, kadlec@sunserv.kfki.hu
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : KFKI Research Institute for Particle and Nuclear Physics
          H-1525 Budapest 114, POB. 49, Hungary

Re: Why is ipset nethash set type limited to /31?

[Menno Smits]

Hi Jozsef,

Jozsef Kadlecsik wrote:
> Hi,
> 
> On Fri, 10 Mar 2006, Menno Smits wrote:
> 
>> Is there a reason why the ipset's nethash set type can't be used with
>> single IPs (/32) as well as larger networks? I'd really like to be able
>> to use networks and IPs in the same set.
> 
> An IP(v4) address is a 32bit number. A network address consists of an IP
> address and a mask value. In nethash the IP address *and* the mask
> together are stored on 32bits. Therefore it is not possible to store plain
> IP addresses in that type of sets.

Ok fair enough.

How would you feel about a "union" set type? Union sets would be
configured to refer to 1 or more other sets. If the IP is found in any
of the child sets it returns a match.

Example usage could be something like:

# ipset -N foo iphash
# ipset -A foo 192.168.0.1

# ipset -N bar nethash
# ipset -A bar 10.0.0.0/8

# ipset -N foobar union --set foo --set bar

# ipset -T foobar 192.168.0.1
192.168.0.1 is in set foobar.

# ipset -T foobar 10.1.2.3
10.1.2.3 is in set foobar.

# ipset -T foobar 192.168.0.2
192.168.0.2 is NOT in set foobar.

# ipset -T foobar 11.0.0.2
11.0.0.2 is NOT in set foobar.

Obviously the set types that could be used in the union would have to be 
compatible. Mixing an iphash and an ipportmap wouldn't make much sense.

Your thoughts?

Regards,
Menno

Re: Why is ipset nethash set type limited to /31?

[Jozsef Kadlecsik]

Hi,

On Mon, 13 Mar 2006, Menno Smits wrote:

> How would you feel about a "union" set type? Union sets would be
> configured to refer to 1 or more other sets. If the IP is found in any
> of the child sets it returns a match.

Technically it is not difficult to add an union type. But first we'd like
to complete the transition from sockopt to netlink based kernel-userspace
communication (it involves the internal API of the settypes as well).

Best regards,
Jozsef
-
E-mail  : kadlec@blackhole.kfki.hu, kadlec@sunserv.kfki.hu
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : KFKI Research Institute for Particle and Nuclear Physics
          H-1525 Budapest 114, POB. 49, Hungary