Status of iptables target support in ipset

Status of iptables target support in ipset

[Csordás Csaba Ifj.]

Dear Reader,

I would like to ask when will it possible writing such rules as
mentioned in $SUBJECT.

For example:

ipset new foo hash:ip
ipset add foo 192.168.1.1 -t filter -A FORWARD -j LOG ... -t nat -A
POSTROUTING -j SNAT ... -t mangle -A PREROUTING -j MARK ...


Sorry for my bad English.

Regards,
Csord√°s Csaba Ifj.

Re: Status of iptables target support in ipset

[Jozsef Kadlecsik]

[-- Attachment #1: Type: TEXT/PLAIN, Size: 815 bytes --]

On Fri, 26 Oct 2012, Csordás Csaba Ifj. wrote:

> I would like to ask when will it possible writing such rules as
> mentioned in $SUBJECT.
> 
> For example:
> 
> ipset new foo hash:ip
> ipset add foo 192.168.1.1 -t filter -A FORWARD -j LOG ... -t nat -A
> POSTROUTING -j SNAT ... -t mangle -A PREROUTING -j MARK ...

That's still on the todo list of ipset. Also, it requires some (small) 
changes in the netfilter core itself. After adding some locking 
improvements to ipset, hopefully I can start working on the subject.

Best regards,
Jozsef
-
E-mail  : kadlec@blackhole.kfki.hu, kadlecsik.jozsef@wigner.mta.hu
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : Wigner Research Centre for Physics, Hungarian Academy of Sciences
          H-1525 Budapest 114, POB. 49, Hungary

Re: Status of iptables target support in ipset

[Eliezer Croitoru]

On 10/26/2012 3:58 PM, Csordás Csaba Ifj. wrote:
> Dear Reader,
>
> I would like to ask when will it possible writing such rules as
> mentioned in $SUBJECT.
>
> For example:
>
> ipset new foo hash:ip
> ipset add foo 192.168.1.1 -t filter -A FORWARD -j LOG ... -t nat -A
> POSTROUTING -j SNAT ... -t mangle -A PREROUTING -j MARK ...
>
>
> Sorry for my bad English.

I wont say it will not give some benefits but it seems to me like a 
simple bash script can do the same thing.

Eliezer
>
> Regards,
> Csordás Csaba Ifj.


-- 
Eliezer Croitoru
https://www1.ngtech.co.il
IT consulting for Nonprofit organizations
eliezer <at> ngtech.co.il

Re: Status of iptables target support in ipset

[Jozsef Kadlecsik]

On Wed, 7 Nov 2012, Eliezer Croitoru wrote:

> On 10/26/2012 3:58 PM, Csord?s Csaba Ifj. wrote:
> > 
> > I would like to ask when will it possible writing such rules as
> > mentioned in $SUBJECT.
> > 
> > For example:
> > 
> > ipset new foo hash:ip
> > ipset add foo 192.168.1.1 -t filter -A FORWARD -j LOG ... -t nat -A
> > POSTROUTING -j SNAT ... -t mangle -A PREROUTING -j MARK ...
> > 
> > 
> > Sorry for my bad English.
> 
> I wont say it will not give some benefits but it seems to me like a simple
> bash script can do the same thing.

No, the idea is to add targets per set entry. I.e. 

ipset add foo 192.168.1.1 -t filter -A FORWARD -j LOG --log-prefix foo
ipset add foo 192.168.1.2 -t filter -A FORWARD -j LOG --log-prefix bar

Best regards,
Jozsef
-
E-mail  : kadlec@blackhole.kfki.hu, kadlecsik.jozsef@wigner.mta.hu
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : Wigner Research Centre for Physics, Hungarian Academy of Sciences
          H-1525 Budapest 114, POB. 49, Hungary

Re: Status of iptables target support in ipset

[Eliezer Croitoru]

On 11/7/2012 10:51 PM, Jozsef Kadlecsik wrote:
> No, the idea is to add targets per set entry. I.e.
>
> ipset add foo 192.168.1.1 -t filter -A FORWARD -j LOG --log-prefix foo
> ipset add foo 192.168.1.2 -t filter -A FORWARD -j LOG --log-prefix bar
>
> Best regards,
> Jozsef
hoo now I understand.
but ipset was meant to be a "set match", no?
In iptables it's a module that match a rule if it matches a set...
it's kind of confusing from iptables idea point of view for me.

Regards,
Eliezer

-- 
Eliezer Croitoru
https://www1.ngtech.co.il
IT consulting for Nonprofit organizations
eliezer <at> ngtech.co.il

Re: Status of iptables target support in ipset

[Jozsef Kadlecsik]

On Wed, 7 Nov 2012, Eliezer Croitoru wrote:

> On 11/7/2012 10:51 PM, Jozsef Kadlecsik wrote:
> > No, the idea is to add targets per set entry. I.e.
> > 
> > ipset add foo 192.168.1.1 -t filter -A FORWARD -j LOG --log-prefix foo
> > ipset add foo 192.168.1.2 -t filter -A FORWARD -j LOG --log-prefix bar
> > 
> hoo now I understand.
> but ipset was meant to be a "set match", no?
> In iptables it's a module that match a rule if it matches a set...
> it's kind of confusing from iptables idea point of view for me.

The SET target then would be extended as a "match and return the result of 
the target(s) belonging to the element":

iptables -A FORWARD -j SET --match-set foo dst

Best regards,
Jozsef
-
E-mail  : kadlec@blackhole.kfki.hu, kadlecsik.jozsef@wigner.mta.hu
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : Wigner Research Centre for Physics, Hungarian Academy of Sciences
          H-1525 Budapest 114, POB. 49, Hungary

Re: Status of iptables target support in ipset

[Sven-Haegar Koch]

On Wed, 7 Nov 2012, Jozsef Kadlecsik wrote:

> On Wed, 7 Nov 2012, Eliezer Croitoru wrote:
> 
> > On 11/7/2012 10:51 PM, Jozsef Kadlecsik wrote:
> > > No, the idea is to add targets per set entry. I.e.
> > > 
> > > ipset add foo 192.168.1.1 -t filter -A FORWARD -j LOG --log-prefix foo
> > > ipset add foo 192.168.1.2 -t filter -A FORWARD -j LOG --log-prefix bar
> > > 
> > hoo now I understand.
> > but ipset was meant to be a "set match", no?
> > In iptables it's a module that match a rule if it matches a set...
> > it's kind of confusing from iptables idea point of view for me.
> 
> The SET target then would be extended as a "match and return the result of 
> the target(s) belonging to the element":
> 
> iptables -A FORWARD -j SET --match-set foo dst

Sounds very interesting to me!

We currently have long chains with in principle:

	-d a.b.c.d -j MARK --set-mark 0x4711
	-d a.b.c.e -j MARK --set-mark 0x4712
and in a seperate chain
	-s a.b.c.d -j MARK --set-mark 0x4711
	-s a.b.c.e -j MARK --set-mark 0x4712

sorting users into tc shaping queues, one queue per user to limit him to 
his personal bandwidth limit (limit not shared with other users). With 
sometimes 200-400 users it hurts quite a bit. Creating sub-chains helped,
but it is still bad, and did not make the iptables-restore input 
generating easier.

An ipset support with targets sounds very nice!

Looking forward to it,

c'ya
sven-haegar

-- 
Three may keep a secret, if two of them are dead.
- Ben F.

Re: Status of iptables target support in ipset

[Ed W]

On 26/10/2012 14:58, Csordás Csaba Ifj. wrote:
> Dear Reader,
>
> I would like to ask when will it possible writing such rules as
> mentioned in $SUBJECT.
>
> For example:
>
> ipset new foo hash:ip
> ipset add foo 192.168.1.1 -t filter -A FORWARD -j LOG ... -t nat -A
> POSTROUTING -j SNAT ... -t mangle -A PREROUTING -j MARK ...
>

At this point haven't you re-implemented almost the whole of netfilter 
inside ipset? (Or is that the point?).

Where do we draw the line?

Seems like an interesting idea anyway!

Ed W

Re: Status of iptables target support in ipset

[Jozsef Kadlecsik]

On Mon, 12 Nov 2012, Ed W wrote:

> On 26/10/2012 14:58, Csord?s Csaba Ifj. wrote:
> > Dear Reader,
> > 
> > I would like to ask when will it possible writing such rules as
> > mentioned in $SUBJECT.
> > 
> > For example:
> > 
> > ipset new foo hash:ip
> > ipset add foo 192.168.1.1 -t filter -A FORWARD -j LOG ... -t nat -A
> > POSTROUTING -j SNAT ... -t mangle -A PREROUTING -j MARK ...
> >  
> At this point haven't you re-implemented almost the whole of netfilter 
> inside ipset? (Or is that the point?).

No, not at all. The user part of ipset should be linked with libxtables 
and use the parser, structures from there. And the kernel part would call 
the corresponding netfilter target modules directly.

ipset is great for mass-matching. The functionality would just add the 
support of individual actions for the elements.

Best regards,
Jozsef
-
E-mail  : kadlec@blackhole.kfki.hu, kadlecsik.jozsef@wigner.mta.hu
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : Wigner Research Centre for Physics, Hungarian Academy of Sciences
          H-1525 Budapest 114, POB. 49, Hungary