> Kernel doesn't know when DST transitions occur though.
> Its an utter mess and usually needs shell/cron scripts to catch this.
So, when these transactions will occur... then cron script can be
used, else let it continue as it is.
i.e. by default -m time can be used. If there are issues with it
Thanks for the info.
Probably then, if I want to do development, its better I should do it
for nftables. It would give more fruitful results!
Thanks once again.
> What is missing for your use case?
For eg., can we store connmark and tc classid in skbinfo of named set
in nftables?
> the original ips are already stored in conntrack. If you want to store
> nat mappings: This is already implemented in nft set infra.
> What are you trying to do?
Can we
> No, that's a totally wrong way. ipset is independent from
> iptables/ip6tables: you cannot refer to a match/target/chain from ipset.
> It also makes no sense to reimplement those in ipset.
Yes. Thats obvious that iptables need to do decision handling, packet flow, etc.
Just that, I want to
effort once again.
On 8/9/18, Jesper Dangaard Brouer wrote:
>
> On Thu, 9 Aug 2018 13:59:59 +0530 Akshat Kakkar
> wrote:
>
>> I want to create custom ipsets like hash: iface,iface ,etc.
>>
>> Can anybody guide which is the best place to start development for the
>&g
> What is your architecture?
Its a 4.4.82 64 bit kernel
and my setup has only 2 machines ... one laptop(IP:192.168.100.100)
and other this linux machine (IP:192.168.100.1).
I have already taken sufficient time of yours, you just plz reply that
are you able to find an iptable rule hit with ipset
>
>> There is only one rule in my iptables,
>>
>> iptables -A INPUT -m set --match-set foo src,src -j ACCEPT
>
> That's the filter table. What about the other tables?
nothing in any other table.
raw
mangle
nat
If entry in ipset is 0.0.0.0/0,eth0 then iptable rule is not matched.
However, if
There is only one rule in my iptables,
iptables -A INPUT -m set --match-set foo src,src -j ACCEPT
Should I reinstall my iptables (v 1.6.1) as I have modified ipset from
6.25 to 6.35?
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to
Can somebody look at it?
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Just to add,
with ipset having entry for 0.0.0.0/0,eth0
if I test
ipset -T foo 192.168.100.100,eth0
its returns success.
But in iptables rule it is not matching.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
> You can check /sys/module/${name}/srcversion against the value modinfo
> reports for the *.ko files.
Both values are same (C5740401AA451FE13008D58).
As a workaround, I am now adding
0.0.0.0/1,eth0
and
128.0.0.0/1,eth0
to the ipset.
And this works fine for my requirement.
But for sure, for
, Feb 24, 2018 at 3:09 AM, Jozsef Kadlecsik
<kad...@blackhole.kfki.hu> wrote:
> Hi,
>
> On Thu, 22 Feb 2018, Akshat Kakkar wrote:
>
>> I created an IPSET,
>> ipset -N foo hash:net,iface
>>
>> Then added member as
>> ipset -A foo 0.0.0.0/0,eth0
>>
&
I created an IPSET,
ipset -N foo hash:net,iface
Then added member as
ipset -A foo 0.0.0.0/0,eth0
However, following iptables rule is not matched when machine is pinged
on its eth0 interface
iptables -A INPUT -m set --match-set foo src,src -j ACCEPT
But, if I add entry in ipset as
ipset -A foo
13 matches
Mail list logo