Looking for info on ipset set type revisions

Looking for info on ipset set type revisions

[Ian Pilcher]

I am working on a C program that uses libmnl to do some basic ipset
manipulation - namely create a set of type hash:ip,port and then add
entries.

The best technique I've found to figure out the exact messages required
is to use strace with the ipset command.  strace does a pretty good job
of decoding the netlink messages, and I can generally figure out the
significance and meaning of other constants by looking at the various
header files.

The one thing that I haven't yet been able to figure out is set type
revisions.  When I use ipset to create a hash:ip,port set, I see that
it is passing 6 as the IPSET_ATTR_REVISION.  I can also that 6 is the
latest revision in lib/ipset_hash_ipportip.c, which is fine when using
the ipset command or calling libipset.

What about programs that don't use libipset?  How can an application
determine the latest/correct revision of a particular set type?  I
haven't been able to find anything in any of the header files that
seems relevant, nor do I see any way for an application to discover this
information at runtime.

Should I just hardcode 6?

Thanks!

-- 
========================================================================
Google                                      Where SkyNet meets Idiocracy
========================================================================

Re: Looking for info on ipset set type revisions

[Jozsef Kadlecsik]

Hi Ian,

On Tue, 8 Mar 2022, Ian Pilcher wrote:

> I am working on a C program that uses libmnl to do some basic ipset 
> manipulation - namely create a set of type hash:ip,port and then add 
> entries.
> 
> The best technique I've found to figure out the exact messages required 
> is to use strace with the ipset command.  strace does a pretty good job 
> of decoding the netlink messages, and I can generally figure out the 
> significance and meaning of other constants by looking at the various 
> header files.
> 
> The one thing that I haven't yet been able to figure out is set type
> revisions.  When I use ipset to create a hash:ip,port set, I see that
> it is passing 6 as the IPSET_ATTR_REVISION.  I can also that 6 is the
> latest revision in lib/ipset_hash_ipportip.c, which is fine when using
> the ipset command or calling libipset.
> 
> What about programs that don't use libipset?  How can an application
> determine the latest/correct revision of a particular set type?  

You can query the kernel about the highest revision number it supports for 
a given set type by sending an IPSET_CMD_TYPE message. There's a tiny 
documentation about the messages and their format in lib/PROTOCOL. 
However, not relying on libipset then you have to know which features are 
available in the given revision.

> I haven't been able to find anything in any of the header files that 
> seems relevant, nor do I see any way for an application to discover this 
> information at runtime.
> 
> Should I just hardcode 6?

You can hardcode the highest revision number for a given set type from 
libipset. I don't plan new revisions to introduce and even if that would 
happen, the only downside of hardcoding the number is that you won't be 
able to use new features introduced in higher revisions.

The kernel part always provides backward compatibility.

Best regards,
Jozsef
-
E-mail  : kadlec@blackhole.kfki.hu, kadlecsik.jozsef@wigner.hu
PGP key : https://wigner.hu/~kadlec/pgp_public_key.txt
Address : Wigner Research Centre for Physics
          H-1525 Budapest 114, POB. 49, Hungary