From: "Martin Kratochvíl" <martin.kratochvil@altnet.cz>
To: netfilter-devel@vger.kernel.org
Subject: libxt_set.man - iptables build 20151116 - some suggestions
Date: Wed, 18 Nov 2015 00:10:43 +0100 [thread overview]
Message-ID: <564BB3F3.8030906@altnet.cz> (raw)
[-- Attachment #1: Type: text/plain, Size: 1859 bytes --]
Hello,
i try to use iptables ... -m set --match-set against ipset infrastructure
(using night build 20151116, kernel 4.2.3)
I have some suggestions after i successfully make it works. And thanks
you - my router is more powerful.
1) In manpage file in libxt_set.man:
Until i experience and look into code I do not understood what is mean
by "test src,dst"
Please add some more example to this man page to make it better:
If you have ipset table MYIPS hash:ip type and want matching by source
ip use
iptables -I FORWARD -m set --match-set MYIPS src -j LOG
if you have ipset table MYIPS bitmap:ip,mac type and want match by
source ip and source mac use
iptables -I FORWARD -m set --match-set MYIPS src,src -j LOG
or add any other
2) name of option "--match-set" is not in logic used by iptables,
i suggest to change to "--set-match"
Look for other options in iptables-extensions
-m hashlimit --hashlimit-above
-m limit --limit-burst
Also name in -j SET could be reversed (--set-map)
3) Could have target -j SET have some options to jump to some iptables
chain by some value stored in ipset.
For example if you stored skbmark with ip address you can change in one
rule mark of packet matched in list
iptables -j SET --map-set MYIPS src --map-mark
but if you have chain for example customer_0000 customer_0001 ...
customer_ffff
you have no way how to jump in one rule, and you have to need some
hiearchicaly chains mainly generated by script.
Something like "JUMP" using mark or using some value stored with ip with
skbmark
iptables -j SET --map-set MYIPS --map-jump-mark-prefix "customer_"
so when you match in ip in ipset table, find mark and then make jump to
specific chain.
4) Do you have any plan when you release stable iptables 1.6.0 :-) ?
Best Regards
Martin Kratochvil
[-- Attachment #2: Elektronicky podpis S/MIME --]
[-- Type: application/pkcs7-signature, Size: 3983 bytes --]
reply other threads:[~2015-11-17 23:19 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=564BB3F3.8030906@altnet.cz \
--to=martin.kratochvil@altnet.cz \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.