From: Mr Dash Four <mr.dash.four@googlemail.com>
To: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Cc: netfilter@vger.kernel.org, netfilter-devel@vger.kernel.org
Subject: Re: [ANNOUNCE] ipset 6.13 released
Date: Sun, 01 Jul 2012 11:46:43 +0100 [thread overview]
Message-ID: <4FF02A93.8080603@googlemail.com> (raw)
In-Reply-To: <alpine.DEB.2.00.1206292201340.29738@blackhole.kfki.hu>
> I have just released ipset 6.13 with a few bugfixes and some new features.
>
> Userspace changes:
> - Explain in more detail src/dst for hash:net,iface
>
Assuming this is what you've had in mind (taken from "man ipset"):
The second direction parameter of the set match and
SET target modules corresponds to the incoming/outgoing interface:
src to the incoming one (similar to the -i flag of iptables), while
dst to the outgoing one (similar to the -o flag of iptables). When
the interface is flagged with physdev:, the interface is interpreted
as the incoming/outgoing bridge port.
I think that is plain wrong!
You refer to the incoming interface (interface on which packets arrive)
as the "source". That cannot be right. To me, it should be a
"destination", not "source" as the very definition of a "destination"
is where something ends, this is where a packet arrives and where the
journey of the packet "stops" (or where the packet is "destined" to
arrive anyway). It should definitely not be a "source" as the packet
does not originate there, nor does it start its journey there.
Similarly for the outgoing interface - this isn't a "destination"
interface as the packet doesn't arrive there - it is where it starts its
journey from!
So, I think you should reverse both definitions and match "src" with the
outgoing interface and "dst" with the incoming interface - exactly the
opposite of what you have now. Documenting something which was done
wrong in the first place doesn't make it right.
next prev parent reply other threads:[~2012-07-01 10:46 UTC|newest]
Thread overview: 24+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-06-29 20:04 [ANNOUNCE] ipset 6.13 released Jozsef Kadlecsik
2012-07-01 10:46 ` Mr Dash Four [this message]
2012-07-01 12:09 ` Jozsef Kadlecsik
2012-07-01 12:19 ` Mr Dash Four
2012-07-01 12:37 ` Jozsef Kadlecsik
2012-07-01 12:44 ` Mr Dash Four
2012-07-01 12:52 ` Jozsef Kadlecsik
2012-07-01 13:17 ` Mr Dash Four
2012-07-01 15:21 ` Jozsef Kadlecsik
2012-07-01 16:52 ` Mr Dash Four
2012-07-01 21:30 ` Neal Murphy
2012-07-01 21:55 ` Jan Engelhardt
2012-07-01 22:59 ` Neal Murphy
2012-07-01 22:58 ` Amos Jeffries
2012-07-02 7:54 ` Jozsef Kadlecsik
2012-07-02 13:11 ` Mr Dash Four
2012-07-02 13:26 ` Jozsef Kadlecsik
2012-07-02 14:28 ` Mr Dash Four
2012-07-02 20:26 ` Jozsef Kadlecsik
2012-07-10 16:27 ` Alex Bligh
2012-07-01 18:32 ` Steven Kath
2012-07-01 13:21 ` Andreas Herz
2012-07-01 14:44 ` Jozsef Kadlecsik
2012-07-10 9:12 ` Andreas Herz
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4FF02A93.8080603@googlemail.com \
--to=mr.dash.four@googlemail.com \
--cc=kadlec@blackhole.kfki.hu \
--cc=netfilter-devel@vger.kernel.org \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).