From: Mr Dash Four <mr.dash.four@googlemail.com>
To: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Cc: netfilter@vger.kernel.org, netfilter-devel@vger.kernel.org
Subject: Re: [ANNOUNCE] ipset 6.11 released
Date: Sun, 15 Jan 2012 22:38:10 +0000 [thread overview]
Message-ID: <4F135552.4070804@googlemail.com> (raw)
In-Reply-To: <alpine.DEB.2.00.1201152100050.29766@blackhole.kfki.hu>
> Your request means a third mode, which could lead to even more confusion,
> because that way one could not check whether the tested address as
> *element* is added to the set or not.
>
This is not a feature request, it is a bug fix!
If ipset, for whatever reason, can't (or won't) handle ip range for
match testing, then such requests should be discarded with the
appropriate error or warning message on the console given by the ipset
binary, or, the appropriate functionality should be implemented so that
such test matches give the right result.
Neither of this currently happens - ipset accepts the ip range value and
then outputs the wrong result (indicating that there is no match where
it clearly is). So, what I have highlighted in my previous posts is,
evidently, *not* a feature request, but a *bug fix*.
> There's no magical element-aggregation in the hash:* types. That is, even
> if 10.1.0.0/16 is added as an element, 10.1.0.0/24 can be added again as
> an independent element: either it should be rejected (when the command was
> issued without the --exist flag) or silently ignored (when was issued with
> it).
I am not very familiar with the inner intricacies of ipset (I am just a
user at the end of the day), so I can't comment on whether this ip range
match could (or should) be implemented, but the way ipset now works is
wrong, unless you believe that the 10.1.12.0/24 ip range is not matched,
in its entirety, by the 10.1.0.0/16 one. Not to mention that the above
bug is a clear *regression* as the v4.x version of the ipset binary was
able, for whatever reason , to produce matches - successfully - using ip
ranges like the one I used as an example in my initial post.
> So even to consider your feature requests, it could come only after
> implementing element-aggregation.
>
Again, this is *not* a feature request - it is a bug fix and I think I
already pointed out above why that is so.
next prev parent reply other threads:[~2012-01-15 22:38 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-01-14 14:52 [ANNOUNCE] ipset 6.11 released Jozsef Kadlecsik
2012-01-15 17:16 ` Mr Dash Four
2012-01-15 17:27 ` Jozsef Kadlecsik
2012-01-15 18:05 ` Mr Dash Four
2012-01-15 20:21 ` Jozsef Kadlecsik
2012-01-15 22:38 ` Mr Dash Four [this message]
2012-01-16 8:27 ` Jozsef Kadlecsik
2012-01-18 23:53 ` Mr Dash Four
2012-01-19 11:04 ` Jozsef Kadlecsik
2012-01-19 22:00 ` Mr Dash Four
2012-01-20 12:49 ` Jozsef Kadlecsik
2012-01-20 16:45 ` Mr Dash Four
2012-01-21 8:12 ` Amos Jeffries
2012-01-21 14:07 ` Jozsef Kadlecsik
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4F135552.4070804@googlemail.com \
--to=mr.dash.four@googlemail.com \
--cc=kadlec@blackhole.kfki.hu \
--cc=netfilter-devel@vger.kernel.org \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).