* ipset v5.0-pre10
@ 2010-12-15 14:28 Mr Dash Four
2010-12-15 20:23 ` Jozsef Kadlecsik
0 siblings, 1 reply; 3+ messages in thread
From: Mr Dash Four @ 2010-12-15 14:28 UTC (permalink / raw)
To: Netfilter Developer Mailing List
I've just looked at the code and man pages for the above - it makes some
interesting reading!
I have a question though - Would it be possible for me to specify port
ranges as well - if not at the members level, then at least from the
command line?
For example, with the current setup if I want to include 'low' ports in
a set, then I have to run a separate script with a 'count' value from 1
to 1024 and execute 1024 different 'ipset -A' statements to include that
particular port into the set. The situation is much worse if I am
dealing with high-ports - for obvious reasons.
Would it be possible to be able to specify port ranges (say, '1-1024')
in a similar fashion as it is currently done with ip address ranges?
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: ipset v5.0-pre10
2010-12-15 14:28 ipset v5.0-pre10 Mr Dash Four
@ 2010-12-15 20:23 ` Jozsef Kadlecsik
2010-12-15 23:46 ` Mr Dash Four
0 siblings, 1 reply; 3+ messages in thread
From: Jozsef Kadlecsik @ 2010-12-15 20:23 UTC (permalink / raw)
To: Mr Dash Four; +Cc: Netfilter Developer Mailing List
Hi,
On Wed, 15 Dec 2010, Mr Dash Four wrote:
> I've just looked at the code and man pages for the above - it makes some
> interesting reading!
>
> I have a question though - Would it be possible for me to specify port ranges
> as well - if not at the members level, then at least from the command line?
>
> For example, with the current setup if I want to include 'low' ports in a set,
> then I have to run a separate script with a 'count' value from 1 to 1024 and
> execute 1024 different 'ipset -A' statements to include that particular port
> into the set. The situation is much worse if I am dealing with high-ports -
> for obvious reasons.
>
> Would it be possible to be able to specify port ranges (say, '1-1024') in a
> similar fashion as it is currently done with ip address ranges?
I don't completely understand you: the bitmap:port type already supports
adding/deleting port ranges. Could you write a full example?
Best regards,
Jozsef
-
E-mail : kadlec@blackhole.kfki.hu, kadlec@mail.kfki.hu
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : KFKI Research Institute for Particle and Nuclear Physics
H-1525 Budapest 114, POB. 49, Hungary
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: ipset v5.0-pre10
2010-12-15 20:23 ` Jozsef Kadlecsik
@ 2010-12-15 23:46 ` Mr Dash Four
0 siblings, 0 replies; 3+ messages in thread
From: Mr Dash Four @ 2010-12-15 23:46 UTC (permalink / raw)
To: Jozsef Kadlecsik; +Cc: Netfilter Developer Mailing List
> I don't completely understand you: the bitmap:port type already supports
> adding/deleting port ranges. Could you write a full example?
>
OK, here goes (*full* example using bash script):- Suppose that I need
to define a pair of IP subnets with two range of ports -
223.240.0.0/13:1-1024 and 223.248.13.0/24:8000-16000 - and include them
in one set. In 4.x that will only be possible by using the following
shell script (9 subsets as 4.x ipporthash construct accepts only /16
subnets):
=======4.x===============
#!/bin/sh
cn_base_set='blacklisted-cn-240-special'
# initialise the new sets
for (( _i=0; _i < 8; _i++ )); do
# - split in 8 subsets as 4.x can't have more than /16 (B-class) subnets
in ipporthash constructs
ipset -N $cn_base_set$_i ipporthash --network 223.24$_i.0.0/16
done
ipset -N blacklisted-cn-248-selected ipporthash --network 223.248.13.0/24
for (( _i=1; _i <= 1024; _i++ )); do
# 1'st loop - low port ranges
for (( _j=0; _j < 8; _j++ )); do
# 2nd loop -24x /16 subnets
ipset -A blacklisted-cn-240-special$_j 223.24$_j.0.0/16,$_i
done
done
for (( _i=8000; _i <= 16000; _i++ )); do
# 2nd set - selected (8k-16k) port ranges
ipset -A blacklisted-cn-248-selected 223.248.13.0/24,$_i
done
=========================
The above script will create 9 sets of type ipporthash:
blacklisted-cn-240-special0 ... blacklisted-cn-240-special7 and
blacklisted-cn-248-selected and then add the port ranges in the
following manner:
ipset -A blacklisted-cn-240-special0 223.240.0.0/16,1
ipset -A blacklisted-cn-240-special1 223.241.0.0/16,1
...
ipset -A blacklisted-cn-240-special7 223.247.0.0/16,1
...
...
ipset -A blacklisted-cn-240-special7 223.247.0.0/16,1024
and then (last loop):
ipset -A blacklisted-cn-248-selected 223.248.13.0/24,8000
ipset -A blacklisted-cn-248-selected 223.248.13.0/24,8001
...
ipset -A blacklisted-cn-248-selected 223.248.13.0/24,16000
In 5.x-pre10 the above job would be a bit easier as I understand there
is no limit on the size of the network (i.e. I am no longer constrained
by B-class subnet):
=======5.x-pre10===============
#!/bin/sh
# initialise the new combined set
ipset -N blacklisted-cn-combined hash:ip,port
for (( _i=1; _i <= 1024; _i++ )); do
# 1'st loop - low port ranges
ipset add blacklisted-cn-combined 223.240.0.0/13,$_i
done
for (( _i=8000; _i <= 16000; _i++ )); do
# 2nd set - selected (8k-16k) port ranges
ipset add blacklisted-cn-combined 223.248.13.0/24,$_i
done
=========================
The above scripts will execute at least 9024 "ipset -A/add" statements!
It would be more convenient if I could do this in 5.x:
ipset -N blacklisted-cn-combined hash:ip,port
ipset -A blacklisted-cn-combined 223.240.0.0/13,1-1024
ipset -A blacklisted-cn-combined 223.248.13.0/24,8000-16000
Just 3 statements - much simpler and I won't bother with any loops!
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2010-12-15 23:46 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2010-12-15 14:28 ipset v5.0-pre10 Mr Dash Four
2010-12-15 20:23 ` Jozsef Kadlecsik
2010-12-15 23:46 ` Mr Dash Four
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).