The following series of 3 patches included in this set is an alternative to the previous version as they allow 'in' or 'out' values to be specified for the 'iface' part of hash:net,iface set *only*, corresponding to the incoming and outgoing interface accordingly, eliminating the discrepancy which existed with the 'old' format and also reinforcing much-needed consistency with the rest of the netfilter/iptables terminology.
The 'old' format, comprising of 'src' (incoming) and 'dst' (outgoing) direction parameter for the 'iface' part of hash:net,iface is also supported. Other ip set types are not affected by this change.
The first patch updates iptables (userspace), the second - ipset (userspace), while the last one deals with the rest of the updates to ipset in kernel space, enabling the above functionality.
Example of use:
iptables -A INPUT -m set --match-set iface_set src,in -j ACCEPT
iptables -A OUTPUT -m set --match-set iface_set dst,out -j ACCEPT
The first example above produces a packet match, based on source IP address/subnet and the incoming interfice (i.e. the 'src' interface in old speak), while the second one does the same, but for the destination IP address/subnet and the outgoing interface ('dst' using the old format).
The above two examples also assume that the 'iface_set' set exists and is of type hash:net,iface, otherwise NO match is produced.
Changelog:
Version 2: Enforces restrictions on 'in' and 'out' direction parameters to be used only in hash:net,iface type sets. Minor bugs in the previous version of the patch have also been corrected.
Version 1: Initial submission
--
1.7.10.4
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
