Oh, and also...
and a too-old kernel would not know how to read a too-new ipset request with
IFACE set.
A response I gave on this very issue from the post you quoted:
"...With the second case, again, even if iptables accept 'in' and 'out'
as values, because the patches I submitted yesterday allow for backwards
compatibility, the kernel would be able to process these matches without
any issues.
If you look at the code, the iptables code is raising both DIM_TWO_SRC
as well as the new DIM_IFACE bits in the 'flags' variable. The set
matching functions of the "old" kernel will "know" of and take into
account just the DIM_TWO_SRC bit to produce a match, which is quite fine
and it is how is supposed to work in the first place, so again, a match
will be produced and I don't see any issues here either."
If you know any different I am all eyes/ears etc!
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
