Re: [ANNOUNCE] ipset 6.13 released

[Mr Dash Four <mr.dash.four@googlemail.com>]

> Maybe ASCII art helps better to explain the different views:
>
> - Mr Dash Four
>
>                      -----------
>   pkt comes in ----- | machine | ----- pkt goes out
>                    ^ ----------- ^
>                  destination   source
>
> - my view follows how the subsytem sees the interfaces
>
>                              ------------------
>   pkt comes in --- interface | ipset subsytem | interface --- pkt goes out
>                            ^ ------------------ ^
>                        source               destination
>
>   
How do you explain that the same "ipset subsystem" treats the IP address 
of the "source" interface (according to your diagram above) as 
"destination" when I match the same (incoming) packet above?

In other words, when I match a packet arriving on the "source" interface 
(again, according to the diagram above) against the IP address this 
"source" interface belongs to, I have to use "dst" designation, not 
"src", but when I match it against the interface then I have to use 
"src" instead? Also, how do you explain that the same designation 
(destination) applies for everything else but the hash:net,iface set for 
the same type of match (incoming packet)?

Give me a reasonable and coherent explanation and I'll accept your argument.

> "src" and "dst" are generic keywords of the set match and SET target of 
> iptables/ip6tables and independent of the set types. The match and target 
> have no idea what is "src" and "dst", the given set interprets them 
> according to the type.
>   
Regardless of whether the set match and SET target use these two 
keywords, across the whole netfilter terminology, there is consistency 
applied with the notable exception of the hash:net,iface and the "iface" 
part in particular.