The following series of 3 patches included in this set allow 'in' or 'out' values to be specified for the 'iface' part of hash:net,iface set, corresponding to the incoming and outgoing interface accordingly, thus eliminating the discrepancy which, up until now, existed with the 'old' format and also reinforcing much-needed consistency with the rest of the netfilter/iptables terminology.
For backwards compatibility, the 'old' format, comprising of 'src' (incoming) and 'dst' (outgoing) direction parameter for the 'iface' part of hash:net,iface is also supported.
The first patch updates iptables (userspace), the second - ipset (userspace), while the last one deals with the rest of the updates to ipset in kernel space, enabling the above functionality.
Example of use:
iptables -A INPUT -m set --match-set test src,in
iptables -A OUTPUT -m set --match-set test dst,out
The first example above produces a packet match, based on source IP address/subnet and the incoming interfice (i.e. the 'src' interface in old speak), while the second one does the same, but for the destination IP address/subnet and the outgoing interface ('dst' using the old format).
The above two examples also assume that the 'test' set exists and is of type hash:net,iface, otherwise NO match is ever produced.
--
1.7.10.4
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
