[ANNOUNCE] ipset 6.7 released

[ANNOUNCE] ipset 6.7 released

[Jozsef Kadlecsik]

Hi,

Besides a few bugfixes, ipset 6.7 comes with a new set type called 
hash:net,iface. The new type makes possible to store network address and 
interface name pairs in a set. That way egress and ingress filtering is 
possible with ipset, in just a few rules. Just an example:

# Define the set for all your networks and fill it out
ipset create nets hash:net
ipset add nets 10.0.0.0/8
ipset add nets 192.168.0.0/16
...
# Define the set with the allowed network, interface pairs
ipset create ifaces hash:net,iface
ipset add ifaces 10.0.0.0/24,eth0
ipset add ifaces 10.2.0.0/16,eth1
...
# Create a chain to handle your networks
iptables -N nets
iptables -A nets -m set --match-set ifaces src,src -j ACCEPT
iptables -A nets -j log-and-drop-spoofed-packets
# Egress and ingress filtering
iptables -t raw -A PREROUTING -m set --match-set nets src -j ifaces
iptables -t raw -A PREROUTING -i external-iface0 -j ACCEPT
iptables -t raw -A PREROUTING -i external-iface1 -j ACCEPT
...
iptables -t raw -j log-and-drop-spoofed-packets
# That's all :-)

Kernel part changes:
 - Whitespace and coding fixes, detected by checkpatch.pl
 - hash:net,iface type introduced
 - Use the stored first cidr value instead of '1'
 - Fix return code for destroy when sets are in use
 - Add xt_action_param to the variant level kadt functions, ipset API 
   change
 - Drop supporting kernel versions below 2.6.35

Userspace changes:
 - Whitespace and coding fixes, detected by checkpatch.pl
 - hash:net,iface type introduced
 - hash:* tests may seem to fail due to the too wide grep pattern, fix 
   them
 - Remove iptree tests and compatibility element parsing
 - hash:net test may seem to fail due to the too wide grep pattern, fix it
 - Fix long time uncovered bug at adding string attributes to the netlink
   messages
 - Fix warnings reported by valgrind
 - Remove supporting set types iptree and iptreemap

You can download the source code of ipset from:
        http://ipset.netfilter.org
        ftp://ftp.netfilter.org/pub/ipset/
        git://git.netfilter.org/ipset.git

Best regards,
Jozsef
-
E-mail  : kadlec@blackhole.kfki.hu, kadlec@mail.kfki.hu
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : KFKI Research Institute for Particle and Nuclear Physics
          H-1525 Budapest 114, POB. 49, Hungary

Re: [ANNOUNCE] ipset 6.7 released

[Jozsef Kadlecsik]

On Tue, 31 May 2011, Jozsef Kadlecsik wrote:

> Besides a few bugfixes, ipset 6.7 comes with a new set type called 
> hash:net,iface. The new type makes possible to store network address and 
> interface name pairs in a set. That way egress and ingress filtering is 
> possible with ipset, in just a few rules. Just an example:
> 
> # Define the set for all your networks and fill it out
> ipset create nets hash:net
> ipset add nets 10.0.0.0/8
> ipset add nets 192.168.0.0/16
> ...
> # Define the set with the allowed network, interface pairs
> ipset create ifaces hash:net,iface
> ipset add ifaces 10.0.0.0/24,eth0
> ipset add ifaces 10.2.0.0/16,eth1
> ...
> # Create a chain to handle your networks

Sorry, chain here should be named as "ifaces" for the jump at the 
egress/ingress filtering below:

> iptables -N nets
> iptables -A nets -m set --match-set ifaces src,src -j ACCEPT
> iptables -A nets -j log-and-drop-spoofed-packets
> # Egress and ingress filtering
> iptables -t raw -A PREROUTING -m set --match-set nets src -j ifaces
> iptables -t raw -A PREROUTING -i external-iface0 -j ACCEPT
> iptables -t raw -A PREROUTING -i external-iface1 -j ACCEPT
> ...
> iptables -t raw -j log-and-drop-spoofed-packets
> # That's all :-)

Best regards,
Jozsef
-
E-mail  : kadlec@blackhole.kfki.hu, kadlec@mail.kfki.hu
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : KFKI Research Institute for Particle and Nuclear Physics
          H-1525 Budapest 114, POB. 49, Hungary

Re: [ANNOUNCE] ipset 6.7 released

[Eric Dumazet]

Le mardi 31 mai 2011 à 22:11 +0200, Jozsef Kadlecsik a écrit :
> Hi,
> 
> Besides a few bugfixes, ipset 6.7 comes with a new set type called 
> hash:net,iface. The new type makes possible to store network address and 
> interface name pairs in a set. That way egress and ingress filtering is 
> possible with ipset, in just a few rules. Just an example:
> 
> # Define the set for all your networks and fill it out
> ipset create nets hash:net
> ipset add nets 10.0.0.0/8
> ipset add nets 192.168.0.0/16
> ...
> # Define the set with the allowed network, interface pairs
> ipset create ifaces hash:net,iface
> ipset add ifaces 10.0.0.0/24,eth0
> ipset add ifaces 10.2.0.0/16,eth1
> ...
> # Create a chain to handle your networks
> iptables -N nets
> iptables -A nets -m set --match-set ifaces src,src -j ACCEPT
> iptables -A nets -j log-and-drop-spoofed-packets
> # Egress and ingress filtering
> iptables -t raw -A PREROUTING -m set --match-set nets src -j ifaces
> iptables -t raw -A PREROUTING -i external-iface0 -j ACCEPT
> iptables -t raw -A PREROUTING -i external-iface1 -j ACCEPT

Hi Jozsef

I could probably use this feature if plugged into tc filter, so that I
really can apply qdisc/class trafic shaping on ingress, to queue packet
into right queue, before iptables layer.

tc filter add dev ifb0 protocol ip parent 10: handle 2 \
	flow ipset ipset keys src \
	flowid 1:40

Any plan on this side ?

Thanks

> ...
> iptables -t raw -j log-and-drop-spoofed-packets
> # That's all :-)


--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [ANNOUNCE] ipset 6.7 released

[Mr Dash Four]

> tc filter add dev ifb0 protocol ip parent 10: handle 2 \
> 	flow ipset ipset keys src \
> 	flowid 1:40
>
> Any plan on this side ?
>   
++1!

I have been waiting for this for quite some time and am currently 
"hardcoding" a lot of stuff in tc, which I was very reluctant to do as I 
have everything tied to ipset these days. So, in other words, I'll be 
glad if that would be possible!

Re: [ANNOUNCE] ipset 6.7 released

[Jan Engelhardt]

On Tuesday 2011-05-31 23:46, Mr Dash Four wrote:

>
>> tc filter add dev ifb0 protocol ip parent 10: handle 2 \
>> 	flow ipset ipset keys src \
>> 	flowid 1:40
>>
>> Any plan on this side ?
>>  
> ++1!

There is already m_xt in iproute2... now it would only need f_xt.
Maybe you can convince Jamal..

Re: [ANNOUNCE] ipset 6.7 released

[Jozsef Kadlecsik]

On Tue, 31 May 2011, Jan Engelhardt wrote:

> On Tuesday 2011-05-31 23:46, Mr Dash Four wrote:
> 
> >> tc filter add dev ifb0 protocol ip parent 10: handle 2 \
> >> 	flow ipset ipset keys src \
> >> 	flowid 1:40
> >>
> >> Any plan on this side ?
> >>  
> > ++1!
> 
> There is already m_xt in iproute2... now it would only need f_xt.
> Maybe you can convince Jamal..

Yes, f_xt would be required to integrate ipset into tc.

Best regards,
Jozsef
-
E-mail  : kadlec@blackhole.kfki.hu, kadlec@mail.kfki.hu
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : KFKI Research Institute for Particle and Nuclear Physics
          H-1525 Budapest 114, POB. 49, Hungary