matching a list of IP's

bof@oknodo.bof.de bof@oknodo.bof.de
Thu, 20 Jul 2000 08:04:25 +0200 (MEST) 

Hi Rusty,

> > I implemented this some time ago; search the list archives for "ippool".
> 
> 	What's the state of this at the moment?  I like the pool/POOL
> stuff, since it comes closer to making iptables self-aware...

<grin> Yes, it's a nice backdoor for introducing global state, and
for manipulating it. Memory - the basis of self-awareness. </grin>

I'm fully set up with the latest and greatest iptables stuff, and will
port up ippool (renamed to ipmap) in the next days; probably next
weekend, because marketing gave me some boring programming to do
this week (adserver tag rewriting. make lots of money by shuffling
CGI variables around :)

Along with bringing ipmap to 1.1.1, I'd like to do a significant change.
Here's a short example of how I'd like to implement the pool management.

	iptables -t ipmap -N myMap
	iptables -t ipmap -A myMap -s first_ip -d last_ip -j Bitmap
	...

- source and destination IP are misused to define the bounds of
  a "slice" of the map.
- later, when looking up a source or destination IP address of some
  skb in that map, it will be bounds-checked against those.
- obviously, '-t ipmap' will use a modified ipt_do_table() for the scan.
  I'm half way through implementing it.
- the Bitmap pseudotarget may later have cousins like Hash.
- a single map can map several ranges of addresses, possibly with
  different underlying implementations.

- the filter table match and target modules will work as before:

	iptables -A INPUT -m ipmap --map-src myMap -j ACCEPT
  looks up the source IP address (--map-dst will use the destination)
  in the map myMap, and matches if it is found.

	iptables -A INPUT -m something -j IPMAP --set-map-src myMap
  as a target, if the source IP address is within the bounds of the
  map, sets the bit for that address. '--reset-map-dst' would clear
  the bit for the destination IP address, instead.

  Both source and destination IP address may be matched and targeted,
  possibly using different maps.

The goal of this change is to harvest the flexibility of iptables'
module system, instead of reinventing it in the ipmap(2) utility.
That utility will probably remain, for manipulating the _content_ of the
maps, as before.

Do you see any problem with going that way? Would you like me to just do
a straight adaption of ippool-0.0.3 to the current netfilter setup, first?

> 	Mind you, I'm planning a number of `unofficial' patches which
> will be included in the next version of iptables, for the users to
> apply or not apply as they wish (if they apply the patch, then the
> appropriate library counterpart will be compiled).

Fine.

best regards
  Patrick