On Sun, 1 Jul 2012, Mr Dash Four wrote: > > I have just released ipset 6.13 with a few bugfixes and some new features. > > > > Userspace changes: > > - Explain in more detail src/dst for hash:net,iface > > > Assuming this is what you've had in mind (taken from "man ipset"): > > The second direction parameter of the set match and > SET target modules corresponds to the incoming/outgoing interface: > src to the incoming one (similar to the -i flag of iptables), while > dst to the outgoing one (similar to the -o flag of iptables). When > the interface is flagged with physdev:, the interface is interpreted > as the incoming/outgoing bridge port. > > I think that is plain wrong! > > You refer to the incoming interface (interface on which packets arrive) as the > "source". That cannot be right. To me, it should be a "destination", not > "source" as the very definition of a "destination" is where something ends, > this is where a packet arrives and where the journey of the packet "stops" (or > where the packet is "destined" to arrive anyway). It should definitely not be > a "source" as the packet does not originate there, nor does it start its > journey there. > > Similarly for the outgoing interface - this isn't a "destination" interface as > the packet doesn't arrive there - it is where it starts its journey from! > > So, I think you should reverse both definitions and match "src" with the > outgoing interface and "dst" with the incoming interface - exactly the > opposite of what you have now. Documenting something which was done wrong in > the first place doesn't make it right. The hash:net,iface type is out for a long time. It is not possible to change the meaning of src/dst without breaking backward compatibility, therefore I won't do it. As a "workaround" I tried to explain the meaning of src/dst for iface as clearly as possible. Best regards, Jozsef - E-mail : kadlec@xxxxxxxxxxxxxxxxx, kadlecsik.jozsef@xxxxxxxxxxxxx PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt Address : Wigner Research Centre for Physics, Hungarian Academy of Sciences H-1525 Budapest 114, POB. 49, Hungary -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
