From: Mr Dash Four <mr.dash.four@googlemail.com>
To: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Cc: Netfilter Core Team <netfilter-devel@vger.kernel.org>,
Pablo Neira Ayuso <pablo@netfilter.org>,
Patrick McHardy <kaber@trash.net>
Subject: Re: [PATCH v2 3/3] ipset: change 'iface' part in hash:net,iface set
Date: Sun, 15 Jul 2012 23:14:55 +0100 [thread overview]
Message-ID: <500340DF.6070207@googlemail.com> (raw)
In-Reply-To: <alpine.DEB.2.00.1207152041270.4159@blackhole.kfki.hu>
>> I would like to see why do you think the use of in/out should be restricted in
>> list:set types, given the fact that there could be hash:net,iface members
>> registered in that type of set?
>>
>> Why should I (and I am sure I am not going to be the only one) have to
>> scratch my head and think what is corresponding to 'src' and 'dst' every
>> time I place a hash:net,iface set member in a list:set and why I can't
>> make use of in or out, in addition to src/dst in that list:set?
>>
>
> Because this or that way, someone would scratch his/her head. For example
> if the rule contains "in/out" and the list:set is a mixed one, contains
> both hash:net,iface and other types of sets. They'll ask: "What the heck
> is "in/out" for say hash:ip type of set?"
You still didn't answer my question: Why do you impose the restriction
in "solution a", given that the result from both solutions (a & b) are
exactly the same, which is what you wanted all along and which was the
main reason for you not wanting in/out to be allowed/entered in a
list:set in a first place?
What I have suggested to you was that you allow in/out to be *entered*,
as input, in a list:set (i.e. in the iptables statement), but treated
internally in the same way as src/dst ('in' to be treated internally as
'src', 'out' as 'dst' obviously). In that way, there won't be any
discrepancies and the results from both "solutions" will be the same. In
other words (using the example you gave earlier), typing:
-bash-~# iptables -A INPUT -m set --match-set list1 src,in -j ACCEPT
and
-bash-~# iptables -A INPUT -m set --match-set list1 src,src -j ACCEPT
to be both accepted and 'in', as *entered* above, to be interpreted in
the same way as 'src'. That way there won't be any "different" results.
This is, to my understanding, what "solution b" is. What you are asking
is 'in' to be rejected completely (i.e. not accepted as input) and only
the following to be allowed:
-bash-~# iptables -A INPUT -m set --match-set list1 src,src -j ACCEPT
even though in that list1 set I could have hash:net,iface elements. What
you are doing by this (and in "solution a") is placing an unnecessary
restriction on in/out and prevent it from being entered/accepted at all,
and that is why I asked you to justify that restriction.
The users are not morons (well, not all of them anyway) - they make a
concious decisions on what to use/enter as direction parameters, so I
think they should be allowed to enter in/out, particularly because the
list:set could contain hash:net,iface elements and it is why I think
in/out should be allowed.
next prev parent reply other threads:[~2012-07-15 22:15 UTC|newest]
Thread overview: 36+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-07-09 22:23 [PATCH v2 0/3] iptables: change 'iface' part in hash:net,iface set Mr Dash Four
2012-07-09 22:23 ` [PATCH v2 1/3] " Mr Dash Four
2012-07-10 15:54 ` Jozsef Kadlecsik
2012-07-10 23:41 ` Mr Dash Four
2012-07-12 7:11 ` Jozsef Kadlecsik
2012-07-13 0:41 ` Mr Dash Four
2012-07-13 8:11 ` Jozsef Kadlecsik
2012-07-13 13:56 ` Mr Dash Four
2012-07-09 22:23 ` [PATCH v2 2/3] ipset: " Mr Dash Four
2012-07-10 15:35 ` Jozsef Kadlecsik
2012-07-09 22:23 ` [PATCH v2 3/3] " Mr Dash Four
2012-07-10 15:32 ` Jozsef Kadlecsik
2012-07-10 23:41 ` Mr Dash Four
2012-07-11 20:25 ` Jozsef Kadlecsik
2012-07-13 0:42 ` Mr Dash Four
2012-07-13 8:02 ` Jozsef Kadlecsik
2012-07-13 13:57 ` Mr Dash Four
2012-07-13 14:16 ` Jozsef Kadlecsik
2012-07-13 14:22 ` Mr Dash Four
2012-07-14 8:45 ` Jozsef Kadlecsik
2012-07-14 12:35 ` Mr Dash Four
2012-07-14 16:37 ` Jozsef Kadlecsik
2012-07-15 11:54 ` Mr Dash Four
2012-07-15 15:02 ` Jozsef Kadlecsik
2012-07-15 16:32 ` Mr Dash Four
2012-07-15 19:21 ` Jozsef Kadlecsik
2012-07-15 19:39 ` Jozsef Kadlecsik
2012-07-15 22:14 ` Mr Dash Four [this message]
2012-07-16 8:03 ` Jozsef Kadlecsik
2012-07-16 12:39 ` Mr Dash Four
2012-07-16 13:58 ` Jozsef Kadlecsik
2012-07-17 23:29 ` Mr Dash Four
2012-07-18 12:54 ` Jozsef Kadlecsik
2012-07-19 22:52 ` Mr Dash Four
2012-07-19 22:52 ` Mr Dash Four
2012-07-15 22:48 ` Mr Dash Four
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=500340DF.6070207@googlemail.com \
--to=mr.dash.four@googlemail.com \
--cc=kaber@trash.net \
--cc=kadlec@blackhole.kfki.hu \
--cc=netfilter-devel@vger.kernel.org \
--cc=pablo@netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.