Re: Ranges and Single IPs

Re: Ranges and Single IPs

[Gilad Benjamini]

I'd like to write a rule for a group. A group can include both single
IP addresses and ranges of addresses.
ipset can do the job with single addresses.
ipragne can do the job with ranges

How can I combine the two ?

Re: Ranges and Single IPs

[Jan Engelhardt]

On Wednesday 2008-04-09 20:40, Gilad Benjamini wrote:

>I'd like to write a rule for a group. A group can include both single
>IP addresses and ranges of addresses.
>ipset can do the job with single addresses.
>ipragne can do the job with ranges
>
>How can I combine the two ?

A range can be modeled upon collections of single addresses.
In short, you still use ipset; it will convert a range
to a number of single addresses and everything is fine. No?

Re: Ranges and Single IPs

[Gilad Benjamini]

True, but I am looking for a more optimized solution

2008/4/9, Jan Engelhardt <jengelh@computergmbh.de>:
>
>  On Wednesday 2008-04-09 20:40, Gilad Benjamini wrote:
>
>  >I'd like to write a rule for a group. A group can include both single
>  >IP addresses and ranges of addresses.
>  >ipset can do the job with single addresses.
>  >iprange can do the job with ranges
>  >
>  >How can I combine the two ?
>
>
> A range can be modeled upon collections of single addresses.
>  In short, you still use ipset; it will convert a range
>  to a number of single addresses and everything is fine. No?
>

Re: Ranges and Single IPs

[Jan Engelhardt]

On Wednesday 2008-04-09 21:17, Gilad Benjamini wrote:

>True, but I am looking for a more optimized solution

ipset is likely to optimize it when the iptree (dunno
what it was called) methods is used.

Re: Ranges and Single IPs

[Jan Engelhardt]

On Wednesday 2008-04-09 21:17, Gilad Benjamini wrote:

>True, but I am looking for a more optimized solution


I assume ipset's iptree is smart enough to do short-circuiting
if you have /24, /16 or /8 networks.

Re: Ranges and Single IPs

[Jozsef Kadlecsik]

On Wed, 9 Apr 2008, Jan Engelhardt wrote:

> On Wednesday 2008-04-09 21:17, Gilad Benjamini wrote:
> 
> >True, but I am looking for a more optimized solution
> 
> I assume ipset's iptree is smart enough to do short-circuiting
> if you have /24, /16 or /8 networks.

If you have got whole networks (/n), then ipset is smart enough to handle 
it (nethash type). If you have got ranges, then iptreemap type is the best 
choice.

Best regards,
Jozsef
-
E-mail  : kadlec@blackhole.kfki.hu, kadlec@sunserv.kfki.hu
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : KFKI Research Institute for Particle and Nuclear Physics
          H-1525 Budapest 114, POB. 49, Hungary

Re: Ranges and Single IPs

[Покотиленко Костик]

В Чтв, 10/04/2008 в 09:21 +0200, Jozsef Kadlecsik пишет:
> On Wed, 9 Apr 2008, Jan Engelhardt wrote:
> 
> > On Wednesday 2008-04-09 21:17, Gilad Benjamini wrote:
> > 
> > >True, but I am looking for a more optimized solution
> > 
> > I assume ipset's iptree is smart enough to do short-circuiting
> > if you have /24, /16 or /8 networks.
> 
> If you have got whole networks (/n), then ipset is smart enough to handle 
> it (nethash type). If you have got ranges, then iptreemap type is the best 
> choice.

But, regarding this question, is there any way one can use IP-networks
and single IP-addresses in the same set? Personally I was unable to do
that since ipset doesn't accepts netmask of 32 or 31.

Say, I have the following set of ips and nets, could I and how could I
keep that in one set?:

192.168.0.0/24
192.168.1.128/30
192.168.2.1/32

-- 
Покотиленко Костик <casper@meteor.dp.ua>