Re: [ANNOUNCE] ipset 6.13 released
|[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]|
I have just released ipset 6.13 with a few bugfixes and some new features. Userspace changes: - Explain in more detail src/dst for hash:net,iface
Assuming this is what you've had in mind (taken from "man ipset"): The second direction parameter of the set match and SET target modules corresponds to the incoming/outgoing interface: src to the incoming one (similar to the -i flag of iptables), while dst to the outgoing one (similar to the -o flag of iptables). When the interface is flagged with physdev:, the interface is interpreted as the incoming/outgoing bridge port. I think that is plain wrong!You refer to the incoming interface (interface on which packets arrive) as the "source". That cannot be right. To me, it should be a "destination", not "source" as the very definition of a "destination" is where something ends, this is where a packet arrives and where the journey of the packet "stops" (or where the packet is "destined" to arrive anyway). It should definitely not be a "source" as the packet does not originate there, nor does it start its journey there.
Similarly for the outgoing interface - this isn't a "destination" interface as the packet doesn't arrive there - it is where it starts its journey from!
So, I think you should reverse both definitions and match "src" with the outgoing interface and "dst" with the incoming interface - exactly the opposite of what you have now. Documenting something which was done wrong in the first place doesn't make it right.
-- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html