[prev in list] [next in list] [prev in thread] [next in thread]
List: netfilter
Subject: Re: ipset hash:net:port:net
From: Jozsef Kadlecsik <kadlec () netfilter ! org>
Date: 2023-06-23 18:30:40
Message-ID: 4d4b3ca0-e994-3f29-e5da-a828d6a1c13 () netfilter ! org
[Download RAW message or body]
Hello,
On Thu, 22 Jun 2023, Марк Коренберг wrote:
> 1. In the latest ipset, adding "1.2.3.4/0,tcp:0,1.2.3.0/24" is not
> allowed. I would like it to be allowed. It should match on any TCP
> traffic that matches source and destination.
> 2. The same for protocol number 0. I want "1.2.3.4/0,0:0,1.2.3.0/24"
> to match all traffic that matches source and destination.
>
> These requirements come from the real cases, where an administrator adds
> rules to control access to his networks.
>
> Is it possible to make such changes? TCP port 0 is not real thing, as
> well as IP protocol 0. So we can give them special meaning in IPSets.
>
> although icmp:0 is not so clear in this case. Possibly allow to set -1 ?
> as protocol or port for matching any ?
Sorry, no. It could ony be implemented with the price of doubling the
lookup time in the set.
Why don't you simply use a hash:net,net type of set?
Best regards,
Jozsef
-
E-mail : kadlec@blackhole.kfki.hu, kadlecsik.jozsef@wigner.hu
PGP key : https://wigner.hu/~kadlec/pgp_public_key.txt
Address : Wigner Research Centre for Physics
H-1525 Budapest 114, POB. 49, Hungary
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic