1373 – [ipset] ability to use a more complex mask on hash:*net* functionality for family ipv6

Due to abuse by spammers, please send an email to bugzilla-account@netfilter.org to request an account to report bugs, sorry for the inconvenience.

Bug 1373 - [ipset] ability to use a more complex mask on hash:*net* functionality for family ipv6

Summary: [ipset] ability to use a more complex mask on hash:*net* functionality for fa...

Status:	RESOLVED WONTFIX

Alias:	None

Product:	ipset
Classification:	Unclassified
Component:	default (show other bugs)
Version:	unspecified
Hardware:	x86_64 All

Importance:	P5 enhancement
Assignee:	netfilter buglog mailinglist

URL:

Depends on:
Blocks:

Reported:	2019-10-16 11:42 CEST by Philippe Guibert
Modified:	2019-10-31 14:27 CET (History)
CC List:	1 user (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Philippe Guibert 2019-10-16 11:42:06 CEST

Today, it is possible to apply a subnet mask.

ipset create foo hash:net family ipv6
ipset add foo 1001::0/112

The need is to use hexadecimal format of mask, to be able to create more subtle masks. This filter can be useful, if one wants to filter only on the last 4 bytes of the ipv6 address, because we know this is an IPv4 mapped IPv6 address.

example:
ipset add foo 1001::0/0xffffff00

# above example does not look at the first 12 bytes of the ipv6 address, and will focus on only 3 bytes of the incoming IPv6 address.

Comment 1 Jozsef Kadlecsik 2019-10-31 14:27:23 CET

The code is based on the assumption of CIDR subnet masks. It is not possible to extend it to support masks which cannot be expressed in CIDR numbers, sorry.