| Message ID | 20220928182536.602688-1-vpai@akamai.com |
|---|---|
| Headers | show |
| Series | Add support for new bitmask parameter (userspace) | expand |
Hi, On Wed, 28 Sep 2022, Vishwanath Pai wrote: > Add a new parameter to complement the existing 'netmask' option. The > main difference between netmask and bitmask is that bitmask takes any > arbitrary ip address as input, it does not have to be a valid netmask. > > The name of the new parameter is 'bitmask'. This lets us mask out > arbitrary bits in the ip address, for example: > ipset create set1 hash:ip bitmask 255.128.255.0 > ipset create set2 hash:ip,port family inet6 bitmask ffff::ff80 > > This patchset contains userspace patches, I will submit the kernel patch > separately. > > Changes in v2 based on code review comments: > * Removed the changes to nf_inet_addr.h and nfproto.h, this will break on older kernels > * Remove bitmask option from net,net since it is redundant, update the manpage > * Add tests for the new bitmask param (similar to netmask tests) Thanks for the patch, it's much better. I have a few comments only and will send them separatedly at the given patches. All other parts are OK. Best regards, Jozsef - E-mail : kadlec@blackhole.kfki.hu, kadlecsik.jozsef@wigner.hu PGP key : https://wigner.hu/~kadlec/pgp_public_key.txt Address : Wigner Research Centre for Physics H-1525 Budapest 114, POB. 49, Hungary
Add a new parameter to complement the existing 'netmask' option. The main difference between netmask and bitmask is that bitmask takes any arbitrary ip address as input, it does not have to be a valid netmask. The name of the new parameter is 'bitmask'. This lets us mask out arbitrary bits in the ip address, for example: ipset create set1 hash:ip bitmask 255.128.255.0 ipset create set2 hash:ip,port family inet6 bitmask ffff::ff80 This patchset contains userspace patches, I will submit the kernel patch separately. Changes in v2 based on code review comments: * Removed the changes to nf_inet_addr.h and nfproto.h, this will break on older kernels * Remove bitmask option from net,net since it is redundant, update the manpage * Add tests for the new bitmask param (similar to netmask tests) Vishwanath Pai (6): netfilter: ipset: Add support for new bitmask parameter netfilter: ipset: Add bitmask support to hash:ip netfilter: ipset: Add bitmask support to hash:ipport netfilter: ipset: Add bitmask support to hash:netnet netfilter: ipset: Update the man page to include netmask/bitmask options netfilter: ipset: add tests for the new bitmask feature include/libipset/args.h | 1 + include/libipset/data.h | 6 +- include/libipset/linux_ip_set.h | 2 + include/libipset/parse.h | 2 + lib/args.c | 8 +++ lib/data.c | 10 +++ lib/debug.c | 1 + lib/errcode.c | 2 + lib/ipset_hash_ip.c | 86 +++++++++++++++++++++++ lib/ipset_hash_ipport.c | 108 +++++++++++++++++++++++++++++ lib/ipset_hash_netnet.c | 100 +++++++++++++++++++++++++++ lib/parse.c | 37 ++++++++++ lib/print.c | 3 +- lib/session.c | 8 +++ src/ipset.8 | 26 ++++++- tests/hash:ip,port.t | 118 ++++++++++++++++++++++++++++++++ tests/hash:ip,port.t.list3 | 11 +++ tests/hash:ip,port.t.list4 | 9 +++ tests/hash:ip,port.t.list5 | 11 +++ tests/hash:ip,port.t.list6 | 9 +++ tests/hash:ip,port.t.list7 | 9 +++ tests/hash:ip.t | 74 +++++++++++++++++++- tests/hash:ip.t.list4 | 11 +++ tests/hash:ip.t.list5 | 9 +++ tests/hash:ip.t.list6 | 9 +++ tests/hash:net,net.t | 66 ++++++++++++++++++ tests/hash:net,net.t.list3 | 11 +++ tests/hash:net,net.t.list4 | 9 +++ tests/hash:net,net.t.list5 | 9 +++ 29 files changed, 758 insertions(+), 7 deletions(-) create mode 100644 tests/hash:ip,port.t.list3 create mode 100644 tests/hash:ip,port.t.list4 create mode 100644 tests/hash:ip,port.t.list5 create mode 100644 tests/hash:ip,port.t.list6 create mode 100644 tests/hash:ip,port.t.list7 create mode 100644 tests/hash:ip.t.list4 create mode 100644 tests/hash:ip.t.list5 create mode 100644 tests/hash:ip.t.list6 create mode 100644 tests/hash:net,net.t.list3 create mode 100644 tests/hash:net,net.t.list4 create mode 100644 tests/hash:net,net.t.list5