> Not sure exactly what you mean by "pinholes" (forgive me if I'm > off-base) but one thing you may want to consider is using the > "iptreemap" type of ipset. The iptree and iptreemap ipset types are > unique in that you can populate it and then selectively remove smaller > pieces from it. > > In other words, you can add a network to it, and then delete a subnet > or address of that network, and the ipset will dynamically (and > instantaneously) break the previous entry into two parts around the > subnet you have removed. > That is no longer supported in newer ipset versions (5 or 6) - the main reason I have implemented this in the way it is now. You are right in a way, with ipset 4.x that was indeed possible, though you have to know in what (blacklist) set exactly is the address/subnet you wish to delete, which is not always that easy.
> So, creating a "pinhole" (unless I misunderstood what you mean by it) > would require you to delete the network, calculate the subnets that > should remain once your "pinhole" is removed, and the add back those > subnets. The "tree" type of ipsets takes care of it for you. > That is not a solution - I can't just "delete" this network if I use any of the modern versions of ipset. ------------------------------------------------------------------------------ Achieve unprecedented app performance and reliability What every C/C++ and Fortran developer should know. Learn how Intel has extended the reach of its next-generation tools to help boost performance applications - inlcuding clusters. http://p.sf.net/sfu/intel-dev2devmay _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
