On Sun, 15 May 2011 12:51:51 +0000 [email protected] wrote:
> That is no longer supported in newer ipset versions (5 or 6) - the > main reason I have implemented this in the way it is now. You are > right in a way, with ipset 4.x that was indeed possible, though you > have to know in what (blacklist) set exactly is the address/subnet > you wish to delete, which is not always that easy. Well, you have a choice. You can use ipset version 4 and do it this way (which results in having a single netfilter matching operation, against the ipset), or you can use an exclusion clause, which will result in an additional netfilter operation first performing a match operation against the excluded node. I am of the mindset that blacklist rules should be carefully optimized because they are expensive (universally applied). If you are constrained on which version of ipset you can use, then I suppose you ought to do the latter (as explained in SHOREWALL-BLACKLIST(5). > > So, creating a "pinhole" (unless I misunderstood what you mean by > > it) would require you to delete the network, calculate the subnets > > that should remain once your "pinhole" is removed, and the add back > > those subnets. The "tree" type of ipsets takes care of it for you. > > > That is not a solution - I can't just "delete" this network if I use > any of the modern versions of ipset. I think I was unclear here. I am saying that if you do not use a tree type ipset, but you still want to create the "pinhole" within the ipset, then the equivalent would be to "manually" exclude it at the time you create the ipset by pre-processing the list and breaking in two any element that contains a trusted addresses. That would probably only be worth the effort of writing the code if you have a high-traffic situation where eliminating a single netfilter match would justify it. It would also increase the time of uploading a new blacklist (e.g. if you're using published blocklists updated hourly) by a minute or so while this entry-by-entry processing occurs. From what it sounds like, you should probably just use exclusions in the blacklist file. Sorry if I wasted your time.
signature.asc
Description: PGP signature
------------------------------------------------------------------------------ Achieve unprecedented app performance and reliability What every C/C++ and Fortran developer should know. Learn how Intel has extended the reach of its next-generation tools to help boost performance applications - inlcuding clusters. http://p.sf.net/sfu/intel-dev2devmay
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
