From: Mr Dash Four <mr.dash.four@googlemail.com>
To: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Cc: netfilter-devel@vger.kernel.org
Subject: Re: nomatch in bitmap:* sets
Date: Sun, 08 Apr 2012 23:28:30 +0100 [thread overview]
Message-ID: <4F82110E.70100@googlemail.com> (raw)
In-Reply-To: <alpine.DEB.2.00.1204082006190.4765@blackhole.kfki.hu>
>> Currently only hash:* sets have the "nomatch" feature. Could this be
>> extended to bitmap:* sets as well?
>>
>
> Actually, hash:*net* types have the "nomatch" feature. How would it make
> sense to add it to the bitmap:* types too?
>
I was thinking along the lines of this:
1. bitmap:port - currently, if I want to exclude specific ports from a
given range (say ports 21,80,119,443 from ports range 1-1023) then I
have to do the following:
n test-ports bitmap:port range 1-1023 timeout 0
a test-ports 1-20
a test-ports 22-79
a test-ports 81-118
a test-ports 120-442
a test-ports 444-1023
Very inconvenient and it is not immediately obvious which ports have
been excluded from that range. By doing something like this:
n test-ports bitmap:port range 1-1023 timeout 0
a test-ports 1-1023
a test-ports 21 nomatch
a test-ports 80 nomatch
a test-ports 119 nomatch
a test-ports 443 nomatch
it is much more clearer what is going on.
2. bitmap:ip - same as above really: If I want to exclude a particular
IP addresses from a given range (say 10.1.1.3, 10.1.1.9 and 10.1.1.14
from 10.1.1.0/24) I have to do almost the same as with bitmap:port set
above:
n test-bitmap-net bitmap:ip range 10.1.1.0/24 timeout 0
a test-bitmap-net 10.1.1.0-10.1.1.2
a test-bitmap-net 10.1.1.4-10.1.1.8
a test-bitmap-net 10.1.1.10-10.1.1.13
a test-bitmap-net 10.1.1.15-10.1.1.255
Again, it is not immediately obvious what has been excluded. By doing
something like the following:
n test-bitmap-net bitmap:ip range 10.1.1.0/24 timeout 0
a test-bitmap-net 10.1.1.0/24
a test-bitmap-net 10.1.1.3 nomatch
a test-bitmap-net 10.1.1.9 nomatch
a test-bitmap-net 10.1.1.14 nomatch
that it is much more clearer.
next prev parent reply other threads:[~2012-04-08 22:28 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-04-08 14:59 nomatch in bitmap:* sets Mr Dash Four
2012-04-08 18:08 ` Jozsef Kadlecsik
2012-04-08 22:28 ` Mr Dash Four [this message]
2012-04-09 18:33 ` Jozsef Kadlecsik
2012-04-09 21:58 ` Mr Dash Four
2012-04-10 12:36 ` Jozsef Kadlecsik
2012-04-10 22:37 ` Mr Dash Four
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4F82110E.70100@googlemail.com \
--to=mr.dash.four@googlemail.com \
--cc=kadlec@blackhole.kfki.hu \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).