Re: ipset -R

[Mr Dash Four <mr.dash.four@googlemail.com>]

> However with hash:net type
>
> # ipset -N test hash:net
> # ipset -A test 10.1.1.0/24
> # ipset -D test 10.1.1.12
> ipset v6.0: Element cannot be deleted from the set: it's not added
>   
Well, that's plain wrong, isn't it? The 'element' 10.1.1.12 does exist 
and it is added (albeit implicitly as part of 10.1.1.0/24). I also 
presume 'ipset -T test 10.1.1.12' will return a positive result, so 
there is something which isn't quite right.

> and that's also right, because the hash types do not magically figure out 
> overlapping ranges and collapse those or break up ranges into parts when 
> deleting intersecting elements.
>   
I do not know the reasons for removing this as it was a nice 'feature' 
though I now understand the 'deletion' part even if I do not agree with it.

> The hash:*net* types could be extended to store non-matching elements, 
> something like this:
>
> # ipset -N test hash:net
> # ipset -A test 10.1.1.0/24
> # ipset -A test 10.1.1.12 --nomatch
>
> That way overlapping entries with different "access right" could be stored 
> in a single set. But any coding needs time and testing.
>   
I am not sure I understand the above - is this already implemented (in 
6.0?) or is this on the 'drawing board' so to speak? What do you mean by 
'access right'?

On a separate query relating to my initial post of this thread - Pandu 
Poluan proposed a nice 'get-out-of-jail' solution to my problem, which I 
already found a way to optimise a little, but need to make sure I am 
doing the right thing: if I have my whitelist, blacklist-1, blacklist-2 
... blacklist-x sets registered and they have (quite a lot of) members 
can I then do this:

ipset -N list blacklist-all
ipset -A blacklist-all blacklist-1
...
ipset -A blacklist-all blacklist-x

and then add my iptables statement:

(1) -m set ! --match-set whitelist src -m set --match-set blacklist-all 
src -j DROP

Would that be the equivalent of (2):

-m set ! --match-set whitelist src -m set --match-set blacklist-1 src -j 
DROP
...
-m set ! --match-set whitelist src -m set --match-set blacklist-x src -j 
DROP

In other words, I combine all of my blacklisted sets into one of type 
'list' where I assume 1) that all sub-set elements of the 'list' set are 
queried for a match; and 2) executing one iptables statement with a set 
match/mismatch (i.e. 1 above) is better, performance-wise, than 
(potentially) traversing through multiple iptables statements with a set 
match/mismatch (as shown on 2 above)?

If so, how is the blacklist-all set stored - do you copy all the 
elements of all the sets into a separate memory space or do you just 
reference the set (which means that if I alter, say, blacklist-2, the 
changes are 'automatically' applied to blacklist-all as well)?

I can't combine all elements of my blacklist-x sets into one big one 
because 1) I use separate blacklist-x sets elsewhere in my ip chains; 
and 2) my blacklist-x sets are not of the same type.