Re: [ANNOUNCE] ipset 6.11 released

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] 
On Sun, 15 Jan 2012, Mr Dash Four wrote:

> > > Any chance of fixing this bug soon:
> > > 
> > > ~# ipset n test hash:net family inet timeout 0
> > > ~# ipset a test 10.1.0.0/16
> > > ~# ipset t test 10.1.12.12
> > > 10.1.12.12 is in set test.
> > > ~# ipset t test 10.1.12.0/24
> > > 10.1.12.0/24 is NOT in test.
> > 
> > It's a feature which I'm not going to fix in any near future.
> >   
> It isn't a "feature", it is a bug: 10.1.12.0/24 is within the 10.1.0.0/16
> range, so the above test should return true, not false. Either that, or ip
> range values should be restricted/excluded from the "test" command in the
> ipset userspace binary.

The "test" functionality is already overloaded. It has two "modes":

- you can test how the *kernel* sees the set, when checking a single IP
  address
- you can check whether an *exact* element is added to the set or not.

As the first one overloads the second one, for hash:*net* types the second 
mode is already "incomplete" in the sense that one cannot check whether a 
given single IP address is already added to a hash:*net* type of set as an 
exact element or not, because a network element may match it.

Your request means a third mode, which could lead to even more confusion, 
because that way one could not check whether the tested address as 
*element* is added to the set or not.

There's no magical element-aggregation in the hash:* types. That is, even 
if 10.1.0.0/16 is added as an element, 10.1.0.0/24 can be added again as 
an independent element: either it should be rejected (when the command was 
issued without the --exist flag) or silently ignored (when was issued with 
it). So even to consider your feature requests, it could come only after 
implementing element-aggregation.

Best regards,
Jozsef
-
E-mail  : kadlec@xxxxxxxxxxxxxxxxx, kadlecsik.jozsef@xxxxxxxxxxxxx
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : Wigner Research Centre for Physics, Hungarian Academy of Sciences
          H-1525 Budapest 114, POB. 49, Hungary
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Linux Netfilter Development]     [Linux Kernel Networking Development]     [Linux Networking Development]     [Linux Kernel Development]     [Linux Resources]     [LARTC]     [Bugtraq]     [Consulting]     [Free Internet Dating]     [Yosemite Forum]     [Photo]

Add to Google Powered by Linux