From: Mr Dash Four <mr.dash.four@googlemail.com>
To: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Cc: Netfilter Core Team <netfilter-devel@vger.kernel.org>,
Pablo Neira Ayuso <pablo@netfilter.org>,
Patrick McHardy <kaber@trash.net>
Subject: Re: [PATCH 0/3] ipset: change 'iface' part in hash:net,iface set
Date: Fri, 06 Jul 2012 21:19:52 +0100 [thread overview]
Message-ID: <4FF74868.3070303@googlemail.com> (raw)
In-Reply-To: <alpine.DEB.2.00.1207062138140.16055@blackhole.kfki.hu>
> ...you are right, because "in" is equivalent with "src".
>
Except that it isn't. It is only "equivalent" for the 'iface' part of
hash:net,iface sets and nothing else. Consider it as an alternative to
select 'iface' part of a hash:net,iface set. It servers no other purpose
and should *not* be used for anything else.
> This creates more confusion for the users than the current state: one
> had to keep in mind what kind of sets are stored in a list of sets and
> depending on them, use "src/dst" or "in/out" in the second direction
> parameter.
Please explain the 'confusion' bit?
I've made it quite clear in the definition of 'in' and 'out' (not least
in the various man pages which form part of these patch series - a bit
like you trying to clarify the use of 'src' and 'dst' for the 'iface'
part in the last ipset update) - 'in' is meant for a match on the
'incoming', 'out' on the 'outgoing' interfaces.
If one wishes to produce a match against those interfaces, then 'in' and
'out' is one possible way to go, if not - then use 'src' or 'dst' if you
feel more comfortable with it.
What I am offering with my patch series is a choice (a choice I didn't
have before, I might add!) - nobody is forced to use it, except those
who understand that choice. If one is unwilling/unable to deploy this
for one reason or another, no problem - quite simple really.
> And additionally,
>
> iptables -A INPUT -m set --match-set list1 src,src -j ACCEPT
>
> and
>
> iptables -A INPUT -m set --match-set list1 src,in -j ACCEPT
>
> produced different results for the same member sets with the same elements
> against the same packets. This is unacceptable for me.
>
You can't expect to issue two different iptables statements (as in your
example above) and get the same number of matches! Not going to happen,
is it? By the same token, if I execute the following two statements:
iptables -A INPUT -m set --match-set list1 src,src -j ACCEPT
and
iptables -A INPUT -m set --match-set list1 src,dst -j ACCEPT
The above will also produce "different results for the same member sets
with the same elements against the same packets". So why is this not
"unacceptable" then?
next prev parent reply other threads:[~2012-07-06 20:20 UTC|newest]
Thread overview: 34+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-07-05 22:34 [PATCH 0/3] ipset: change 'iface' part in hash:net,iface set Mr Dash Four
2012-07-05 22:34 ` [PATCH 1/3] iptables: " Mr Dash Four
2012-07-05 22:34 ` [PATCH 2/3] ipset: " Mr Dash Four
2012-07-05 22:34 ` [PATCH 3/3] " Mr Dash Four
2012-07-06 8:35 ` [PATCH 0/3] " Jozsef Kadlecsik
2012-07-06 19:05 ` Mr Dash Four
2012-07-06 19:11 ` Jan Engelhardt
2012-07-06 19:21 ` Mr Dash Four
2012-07-06 19:44 ` Mr Dash Four
2012-07-06 19:47 ` Jozsef Kadlecsik
2012-07-06 20:19 ` Mr Dash Four [this message]
2012-07-06 20:39 ` Jozsef Kadlecsik
2012-07-06 21:04 ` Mr Dash Four
[not found] ` <CAHo-OowHXH9f526QQc4Ln5_P_Osdm1Q_RrBkw83hSGj=oES5ww@mail.gmail.com>
2012-07-06 20:41 ` Mr Dash Four
2012-07-06 20:49 ` Jozsef Kadlecsik
2012-07-06 21:04 ` Mr Dash Four
2012-07-06 21:39 ` Jozsef Kadlecsik
2012-07-06 22:25 ` Mr Dash Four
2012-07-07 14:53 ` Jozsef Kadlecsik
2012-07-07 16:23 ` Jozsef Kadlecsik
2012-07-08 13:03 ` Mr Dash Four
2012-07-08 18:55 ` Jozsef Kadlecsik
2012-07-08 19:03 ` Mr Dash Four
2012-07-08 19:07 ` Jozsef Kadlecsik
2012-07-08 19:11 ` Mr Dash Four
2012-07-08 20:30 ` Jozsef Kadlecsik
2012-07-08 22:10 ` Mr Dash Four
2012-07-08 22:20 ` Jozsef Kadlecsik
2012-07-08 22:25 ` Mr Dash Four
2012-07-08 22:55 ` Jozsef Kadlecsik
2012-07-09 20:19 ` Mr Dash Four
2012-07-09 22:05 ` Mr Dash Four
2012-07-08 13:03 ` Mr Dash Four
[not found] ` <CAHo-Ooya+1H939TqppUcY+pwprOH34zi-jHtnsN+g522aJ3ctw@mail.gmail.com>
2012-07-08 19:43 ` Mr Dash Four
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4FF74868.3070303@googlemail.com \
--to=mr.dash.four@googlemail.com \
--cc=kaber@trash.net \
--cc=kadlec@blackhole.kfki.hu \
--cc=netfilter-devel@vger.kernel.org \
--cc=pablo@netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).