* ipset hash:net:port:net
@ 2023-06-22 14:50 Марк Коренберг
2023-06-23 18:30 ` Jozsef Kadlecsik
0 siblings, 1 reply; 2+ messages in thread
From: Марк Коренберг @ 2023-06-22 14:50 UTC (permalink / raw)
To: Jozsef Kadlecsik, netfilter, netfilter-devel, kadlecsik.jozsef,
kadlec
Hi everyone.
1. In the latest ipset, adding "1.2.3.4/0,tcp:0,1.2.3.0/24" is not
allowed. I would like it to be allowed. It should match on any TCP
traffic that matches source and destination.
2. The same for protocol number 0. I want "1.2.3.4/0,0:0,1.2.3.0/24"
to match all traffic that matches source and destination.
These requirements come from the real cases, where an administrator
adds rules to control access to his networks.
Is it possible to make such changes? TCP port 0 is not real thing, as
well as IP protocol 0. So we can give them special meaning in IPSets.
although icmp:0 is not so clear in this case. Possibly allow to set -1
? as protocol or port for matching any ?
--
Segmentation fault
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: ipset hash:net:port:net
2023-06-22 14:50 ipset hash:net:port:net Марк Коренберг
@ 2023-06-23 18:30 ` Jozsef Kadlecsik
0 siblings, 0 replies; 2+ messages in thread
From: Jozsef Kadlecsik @ 2023-06-23 18:30 UTC (permalink / raw)
To: Марк Коренберг
Cc: netfilter, netfilter-devel
[-- Attachment #1: Type: text/plain, Size: 1186 bytes --]
Hello,
On Thu, 22 Jun 2023, Марк Коренберг wrote:
> 1. In the latest ipset, adding "1.2.3.4/0,tcp:0,1.2.3.0/24" is not
> allowed. I would like it to be allowed. It should match on any TCP
> traffic that matches source and destination.
> 2. The same for protocol number 0. I want "1.2.3.4/0,0:0,1.2.3.0/24"
> to match all traffic that matches source and destination.
>
> These requirements come from the real cases, where an administrator adds
> rules to control access to his networks.
>
> Is it possible to make such changes? TCP port 0 is not real thing, as
> well as IP protocol 0. So we can give them special meaning in IPSets.
>
> although icmp:0 is not so clear in this case. Possibly allow to set -1 ?
> as protocol or port for matching any ?
Sorry, no. It could ony be implemented with the price of doubling the
lookup time in the set.
Why don't you simply use a hash:net,net type of set?
Best regards,
Jozsef
-
E-mail : kadlec@blackhole.kfki.hu, kadlecsik.jozsef@wigner.hu
PGP key : https://wigner.hu/~kadlec/pgp_public_key.txt
Address : Wigner Research Centre for Physics
H-1525 Budapest 114, POB. 49, Hungary
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2023-06-23 18:31 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2023-06-22 14:50 ipset hash:net:port:net Марк Коренберг
2023-06-23 18:30 ` Jozsef Kadlecsik
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).