LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 04-20-2015, 03:44 PM   #1
rs232
Member
 
Registered: Oct 2005
Posts: 51

Rep: Reputation: 0
latest ipset:: iptreemap missing?


I have notice that iptreemap has been removed from ipset :-(

Can anybody shed light on how can I achieve the equivalent of iptreemap with the latest ipset toolset?
I have lots of IP ranges defined as "sip-dip" e.g.
1.1.1.1-1.1.1.255 and would like to maintain the ranges as they are without changing format.
I know I could do 1.1.1.0/24 but that's not what I want and it's not always possible/flexible it's just an example...

I have tried bitmap:ip and hash:ip but both are not fit for purpose as they convert an IP range into individual entries!

Any help please?
Thanks
 
Old 04-26-2015, 04:54 AM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
Quote:
Originally Posted by rs232 View Post
how can I achieve the equivalent of iptreemap with the latest ipset toolset?
How about using hash:net?


Quote:
Originally Posted by rs232 View Post
I know I could do 1.1.1.0/24 but that's not what I want
"wanting" something rarely changes what's available.


Quote:
Originally Posted by rs232 View Post
it's not always possible/flexible
If you mean you need to poke holes in ranges then see 'man ipset' for the "nomatch" arg?
 
Old 04-27-2015, 04:51 AM   #3
rs232
Member
 
Registered: Oct 2005
Posts: 51

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by unSpawn View Post
How about using hash:net?
That's what I've ended up usingbut the public IP black lists are provided in the format sIP-dIP. This involves a painful (in terms of CPU time) conversion from ranges into subnets and an exceptional treatment for individual IPs. Not complaining but I can't help noticing that what it used to be working out of the box by iptreemap is not working anymore.

Quote:
Originally Posted by unSpawn View Post
If you mean you need to poke holes in ranges then see 'man ipset' for the "nomatch" arg?
Thanks for this, I had a look at the (poor) ipset man page and unless I'm missing something it doesn't seem to add much value to what I'm after.
 
Old 04-27-2015, 06:29 AM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
Quote:
Originally Posted by rs232 View Post
(..) the public IP black lists are provided in the format sIP-dIP.
First of all I view any lists as no more than "mildly helpful" as there are a few concerns with lists in general that (should) raise questions. Especially with aggregates there often is no way to way to find out more about origin quality in terms of disparate sensor platforms, sensor accuracy and scope, timeliness, aggregation (software!) errors, et cetera. For example scan reports are the product of a highly temporal focus on IP ranges, ports and applications. So while security should be thought of as multi-layered and continuously changing, the local "meaning" of a list is defined by its neighbourhood, network security posture, machine security footprint and actual application use. So if you're in APAC it doesn't make sense to use US-centric lists, if you're not running for example publicly accessible MongoDB, Elastic Search or IIS then results "polluted" by related Snort signatures will only result in (N)IDS, SIEM or firewall performance degradation and if you're using proxy or TOR exit node lists then you're SOL anyway as those change constantly.


Quote:
Originally Posted by rs232 View Post
This involves a painful (in terms of CPU time) conversion from ranges into subnets
Script something using PERLs Net::CIDR or Pythons netaddr or cidrize?


Quote:
Originally Posted by rs232 View Post
and an exceptional treatment for individual IPs. (..) unless I'm missing something it doesn't seem to add much value to what I'm after.
If "exceptional treatment" != punching holes then it depends on your definition / explanation of things.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
ipset with iptables not working wolfsden3 Linux - Security 2 09-09-2014 08:09 PM
IPSET 6.8 install problem dashang.trivedi Linux - Networking 4 06-25-2013 07:07 AM
Latest -current update - libXt - md5 checksum missing devnull10 Slackware 2 03-12-2011 03:34 AM
Installing the latest version of octave readline libraries missing matuk_444 Ubuntu 1 08-02-2007 10:12 PM
Insmod seems to be missing (FC4 latest kernel) cynicalicious Linux - Newbie 6 03-18-2006 11:31 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 10:56 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration