Do you deliberately close your eyes? In the two rules
Explain the above comment please?
iptables -A INPUT -m set --match-set list1 src,src -j ACCEPT
iptables -A INPUT -m set --match-set list1 src,in -j ACCEPT
the underlying set types "decide" how to act to "src/in", when actually
"src" == "in". I hear you shouting: FOR HASH:NET,IFACE ONLY. Right. But
"list1" is a list type of set, not hash:net,iface. Still, the result is
different.
Whoever produces the above statements is making a concious decision on
what to use/deploy! I am repeating this for, I don't know, a third time
maybe - what my patch series are offering is a choice. If you, or
anybody else wishes to continue to use 'src' or 'dst' (including for
interface matching), then so be it, you are completely free to do that -
I am not forcing you, or anyone to do otherwise.
If, on the other hand, I, or anybody else, is not entirely comfortable
with using 'src' or 'dst' for interface matching and prefer to use 'in'
or 'out' instead, then so be it - the choice is there.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
