I have notice that iptreemap has been removed from ipset :-(

Can anybody shed light on how can I achieve the equivalent of iptreemap with the latest ipset toolset?
I have lots of IP ranges defined as "sip-dip" e.g.
1.1.1.1-1.1.1.255 and would like to maintain the ranges as they are without changing format.
I know I could do 1.1.1.0/24 but that's not what I want and it's not always possible/flexible it's just an example...

I have tried bitmap:ip and hash:ip but both are not fit for purpose as they convert an IP range into individual entries!

Any help please?
Thanks

How about using hash:net?


"wanting" something rarely changes what's available.


If you mean you need to poke holes in ranges then see 'man ipset' for the "nomatch" arg?

That's what I've ended up usingbut the public IP black lists are provided in the format sIP-dIP. This involves a painful (in terms of CPU time) conversion from ranges into subnets and an exceptional treatment for individual IPs. Not complaining but I can't help noticing that what it used to be working out of the box by iptreemap is not working anymore.

Thanks for this, I had a look at the (poor) ipset man page and unless I'm missing something it doesn't seem to add much value to what I'm after.

First of all I view any lists as no more than "mildly helpful" as there are a few concerns with lists in general that (should) raise questions. Especially with aggregates there often is no way to way to find out more about origin quality in terms of disparate sensor platforms, sensor accuracy and scope, timeliness, aggregation (software!) errors, et cetera. For example scan reports are the product of a highly temporal focus on IP ranges, ports and applications. So while security should be thought of as multi-layered and continuously changing, the local "meaning" of a list is defined by its neighbourhood, network security posture, machine security footprint and actual application use. So if you're in APAC it doesn't make sense to use US-centric lists, if you're not running for example publicly accessible MongoDB, Elastic Search or IIS then results "polluted" by related Snort signatures will only result in (N)IDS, SIEM or firewall performance degradation and if you're using proxy or TOR exit node lists then you're SOL anyway as those change constantly.


Script something using PERLs Net::CIDR or Pythons netaddr or cidrize?


If "exceptional treatment" != punching holes then it depends on your definition / explanation of things.