From mboxrd@z Thu Jan 1 00:00:00 1970 From: "Ming-Ching Tiew" Subject: Re: Simple question about ipset Date: Mon, 25 Sep 2006 04:34:27 +0800 Message-ID: <000701c6e018$d791c790$02bca8c0@freelance> References: <006701c6dcba$167a4f20$02bca8c0@freelance> Mime-Version: 1.0 Content-Transfer-Encoding: 7bit Return-path: List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: netfilter-bounces@lists.netfilter.org Errors-To: netfilter-bounces@lists.netfilter.org Content-Type: text/plain; charset="us-ascii" To: netfilter@lists.netfilter.org From: "Jozsef Kadlecsik" > > > I hope my understanding is correct. Perhaps the docs should explain it more > > clearly. > > Yes, the docs are terse. Patches against the docs are (also) always > welcomed. > If my understanding is correct ( which I am still not very sure at this moment ), perhaps may I suggest the syntax be changed such that only one flag is allowed ( and necessary ) and the value can be 'dst', 'src', or 'both' ? eg, iptables -A FORWARD -m set --set servers dst -j ACCEPT iptables -A FORWARD -m set --set servers src -j ACCEPT iptables -A FORWARD -m set --set servers both -j ACCEPT or if the keyword 'both' is left out, it is then implied :- iptables -A FORWARD -m set --set servers -j ACCEPT The nature of relationship is that it will be hard to form a meaningful relationship where the flags could be heterogeneous, so why don't just implement a simplied syntax ? Cheers