[prev in list] [next in list] [prev in thread] [next in thread] 

List:       netfilter
Subject:    Re: ipset hash:net:port:net
From:       Jozsef Kadlecsik <kadlec () netfilter ! org>
Date:       2023-06-23 18:30:40
Message-ID: 4d4b3ca0-e994-3f29-e5da-a828d6a1c13 () netfilter ! org
[Download RAW message or body]


Hello,

On Thu, 22 Jun 2023, Марк Коренберг wrote:

> 1. In the latest ipset, adding "1.2.3.4/0,tcp:0,1.2.3.0/24" is not
> allowed. I would like it to be allowed. It should match on any TCP
> traffic that matches source and destination.
> 2. The same for protocol number 0. I want  "1.2.3.4/0,0:0,1.2.3.0/24"
> to match all traffic that matches source and destination.
> 
> These requirements come from the real cases, where an administrator adds 
> rules to control access to his networks.
> 
> Is it possible to make such changes? TCP port 0 is not real thing, as 
> well as IP protocol 0. So we can give them special meaning in IPSets.
> 
> although icmp:0 is not so clear in this case. Possibly allow to set -1 ? 
> as protocol or port for matching any ?

Sorry, no. It could ony be implemented with the price of doubling the 
lookup time in the set.

Why don't you simply use a hash:net,net type of set?

Best regards,
Jozsef
-
E-mail  : kadlec@blackhole.kfki.hu, kadlecsik.jozsef@wigner.hu
PGP key : https://wigner.hu/~kadlec/pgp_public_key.txt
Address : Wigner Research Centre for Physics
          H-1525 Budapest 114, POB. 49, Hungary

[prev in list] [next in list] [prev in thread] [next in thread]