ipset merge

ipset merge

[Jan Engelhardt]

Hi,


I was wondering whether there are any obstacles to merge ipset into 
mainline - for example, it being too much of a hack like ipt_ROUTE was.
Otherwise, I'd like to prepare and submit it.


Thanks,
	Jan
-- 

Re: ipset merge

[Pablo Neira Ayuso]

Jan Engelhardt wrote:
> I was wondering whether there are any obstacles to merge ipset into 
> mainline - for example, it being too much of a hack like ipt_ROUTE was.
> Otherwise, I'd like to prepare and submit it.

It must use the new nfnetlink infrastructure. Jozsef is currently
working on that. I wanted to have a look at it but I have had not time
so far.

-- 
"Será preciso viajar a través de los ojos de los idiotas" -- Poeta en
Nueva York -- Federico García Lorca.

Re: ipset merge

[Jozsef Kadlecsik]

Hi,

On Wed, 1 Aug 2007, Pablo Neira Ayuso wrote:

> Jan Engelhardt wrote:
>> I was wondering whether there are any obstacles to merge ipset into
>> mainline - for example, it being too much of a hack like ipt_ROUTE was.
>> Otherwise, I'd like to prepare and submit it.
>
> It must use the new nfnetlink infrastructure.

Yes, exactly. But besides the netlink infrastructure it must also support 
IPv6, before thinking on merging. The main modifications in ipset I'm 
planning and working are

- use netlink instead of sockopt
- support IPv6
- throw away binding of sets (the hackish part of ipset), which is
   complex and not efficient enough
- add new set types as a substitute of the purged out bindings
- throw away 'iptree' type which is somewhat a fiasco :-(
- add 'timeout' support to all set types
- add a 'union' type to make life even more easier :-)

> Jozsef is currently working on that.

Yep, slower than I hoped :-(.

Best regards,
Jozsef
-
E-mail  : kadlec@blackhole.kfki.hu, kadlec@sunserv.kfki.hu
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : KFKI Research Institute for Particle and Nuclear Physics
           H-1525 Budapest 114, POB. 49, Hungary

Re: ipset merge

[pud]

On Sat, 11 Aug 2007, Jozsef Kadlecsik wrote:

> - throw away binding of sets (the hackish part of ipset), which is
>   complex and not efficient enough
> - add new set types as a substitute of the purged out bindings

an ip-port set would be really nice ;)


>> Jozsef is currently working on that.
>
> Yep, slower than I hoped :-(.

thanx


=;p/ud aka nerdpunk

-- 
auf der flucht vor einem selber und der rache der krawatten
springt man eher aus dem fenster, als ueber seinen schatten...
	                                        	- kaput krauts
gpg-key #C3B04767

Re: Re: ipset merge

[Daniel]

>
>On Sat, 11 Aug 2007, Jozsef Kadlecsik wrote:
>
>> - throw away binding of sets (the hackish part of ipset), which is
>>   complex and not efficient enough
>> - add new set types as a substitute of the purged out bindings
>
>an ip-port set would be really nice ;)
That's also what I need when I tried to match some nat-traversal address.

>
>>> Jozsef is currently working on that.
>>
>> Yep, slower than I hoped :-(.
>
>thanx
>
>
>=;p/ud aka nerdpunk
>
>-- 
>auf der flucht vor einem selber und der rache der krawatten
>springt man eher aus dem fenster, als ueber seinen schatten...
>	                                        	- kaput krauts
>gpg-key #C3B04767
>
>

Regards			 

Daniel

 tooldcas@163.com
 2007-08-13