Due to abuse by spammers, please send an email to bugzilla-account@netfilter.org to request an account to report bugs, sorry for the inconvenience.

Bug 1373

Summary: [ipset] ability to use a more complex mask on hash:*net* functionality for family ipv6
Product: ipset Reporter: Philippe Guibert <philippe.guibert>
Component: defaultAssignee: netfilter buglog mailinglist <netfilter-buglog>
Status: RESOLVED WONTFIX    
Severity: enhancement CC: kadlec
Priority: P5    
Version: unspecified   
Hardware: x86_64   
OS: All   

Description Philippe Guibert 2019-10-16 11:42:06 CEST 
Today, it is possible to apply a subnet mask.

ipset create foo hash:net family ipv6
ipset add foo 1001::0/112

The need is to use hexadecimal format of mask, to be able to create more subtle masks. This filter can be useful, if one wants to filter only on the last 4 bytes of the ipv6 address, because we know this is an IPv4 mapped IPv6 address.

example:
ipset add foo 1001::0/0xffffff00

# above example does not look at the first 12 bytes of the ipv6 address, and will focus on only 3 bytes of the incoming IPv6 address.
Comment 1 Jozsef Kadlecsik 2019-10-31 14:27:23 CET 
The code is based on the assumption of CIDR subnet masks. It is not possible to extend it to support masks which cannot be expressed in CIDR numbers, sorry.