From: Mr Dash Four <mr.dash.four@googlemail.com>
To: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Cc: Dennis Jacobfeuerborn <dennisml@conversis.de>,
netfilter-devel@vger.kernel.org, netfilter@vger.kernel.org
Subject: Re: [ANNOUNCE] ipset-5.0 released
Date: Mon, 27 Dec 2010 18:52:32 +0000 [thread overview]
Message-ID: <4D18E070.6010107@googlemail.com> (raw)
In-Reply-To: <alpine.DEB.2.00.1012271854400.11291@blackhole.kfki.hu>
>> Fair enough. Any idea when ipset 5.2 will be incorporated into xtables so that
>> I could download it and start testing it? *nudges Jan*
>>
>
> You constantly ignore the difference between xtables and xtables-addons...
>
You know exactly what I meant.
>> If I understand you correctly, you keep a separate structure which stores all
>> prefixes used in the target set, walk through that structure and for each
>> element you build start-end range based on the IP address captured and the
>> current prefix. You then create a hash on the calculated start-end range,
>> protocol and port triple and then test that hash against the hash value of the
>> target set triple (IP range, protocol, port). Is that how you do it?
>>
>
> No, there's no point to store start-end ranges: the network address and
> the prefix is stored, which thus require less memory compared to the
> range.
>
OK, so you store IP address and then the range. Do you then perform the
process as I described above in order to find a match?
>> I think the culprit is not the set itself, but the SET target as I find it
>> rather foolish that someone would let an outsider to manipulate a set using
>> this SET target. For example, if I am an attacker and I know that the target
>> machine relies on access to certain IP address, then I could craft a packet in
>> such a way that it triggers this SET target which then includes the IP
>> address/range in the 'attackers' set and therefore disable access to that
>> address on the target machine - job done!
>>
>
> Of course, it's absolutely possible. However in order to slow down for
> example ssh scanning, even short time blocking of the addresses from
> which scanning is detected can be quite useful.
>
Anything which manipulates the internal structure from outside is, in my
opinion, not a good idea for the reason I mentioned above.
On a separate note, once I've installed ipset 5.2 I am very keen on
testing both type of sets (iptreemap and the new hash set) to see what
is the performance penalty with the new sets (there will probably be one
as your search algorithm is more complex in 5.x and would require more
iterations compared with the 4.x type sets).
next prev parent reply other threads:[~2010-12-27 18:52 UTC|newest]
Thread overview: 48+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-12-17 22:26 [ANNOUNCE] ipset-5.0 released Jozsef Kadlecsik
2010-12-17 23:32 ` Jan Engelhardt
2010-12-18 10:40 ` Jozsef Kadlecsik
2010-12-18 7:29 ` Rob Sterenborg (lists)
2010-12-18 11:13 ` Jozsef Kadlecsik
2010-12-18 15:43 ` Jan Engelhardt
2010-12-18 19:50 ` Jozsef Kadlecsik
2010-12-18 21:49 ` Jan Engelhardt
2010-12-19 0:05 ` Jozsef Kadlecsik
2010-12-19 0:28 ` Jan Engelhardt
2010-12-19 5:56 ` Jan Engelhardt
2010-12-19 18:23 ` Rob Sterenborg (lists)
2010-12-21 11:14 ` Rob Sterenborg (lists)
2010-12-21 14:03 ` Jozsef Kadlecsik
2010-12-18 14:22 ` Mr Dash Four
2010-12-18 20:23 ` Jozsef Kadlecsik
2010-12-18 21:51 ` Mr Dash Four
2010-12-18 22:10 ` Jan Engelhardt
2010-12-18 22:23 ` Mr Dash Four
2010-12-19 0:34 ` Jozsef Kadlecsik
2010-12-19 13:52 ` Mr Dash Four
2010-12-19 15:20 ` Dennis Jacobfeuerborn
2010-12-19 17:04 ` Mr Dash Four
2010-12-22 10:59 ` Jozsef Kadlecsik
2010-12-22 12:48 ` Mr Dash Four
2010-12-23 15:39 ` Jozsef Kadlecsik
2010-12-23 17:50 ` Mr Dash Four
2010-12-23 17:55 ` David Miller
2010-12-23 18:00 ` Mr Dash Four
2010-12-23 18:06 ` David Miller
2010-12-23 18:10 ` Mr Dash Four
2010-12-23 19:35 ` Jozsef Kadlecsik
2010-12-23 22:23 ` Mr Dash Four
2010-12-23 22:46 ` Jozsef Kadlecsik
2010-12-23 22:56 ` Jozsef Kadlecsik
2010-12-23 23:06 ` Mr Dash Four
2010-12-26 10:30 ` Jozsef Kadlecsik
2010-12-26 13:47 ` Mr Dash Four
2010-12-26 20:09 ` Jozsef Kadlecsik
2010-12-26 21:44 ` Mr Dash Four
2010-12-27 14:49 ` Jozsef Kadlecsik
2010-12-27 16:23 ` Mr Dash Four
2010-12-27 18:20 ` Jozsef Kadlecsik
2010-12-27 18:52 ` Mr Dash Four [this message]
2010-12-28 19:26 ` Jozsef Kadlecsik
2010-12-23 23:03 ` Mr Dash Four
2010-12-26 10:32 ` Jozsef Kadlecsik
2010-12-23 21:51 ` Jan Engelhardt
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4D18E070.6010107@googlemail.com \
--to=mr.dash.four@googlemail.com \
--cc=dennisml@conversis.de \
--cc=kadlec@blackhole.kfki.hu \
--cc=netfilter-devel@vger.kernel.org \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).