Hello,
The "inet" family is a great idea for unifying IPv4 and IPv6
firewalling, but I just ran into one thing I'm missing.
nft lets me define sets with both IPv4 and IPv6 addresses, but once I
try using them things go wrong - I assume this means that the addresses
aren't actually parsed until that point?
I can invoke the set from an ip match, and it will complain about IPv6
addresses in the list being invalid. And vice versa, invoke the set from
an "ip6" match and the IPv4 addresses will cause parse errors.
Would it be possible to either have an "inet" match rule, or tell nft to
skip unknown address families so I could just invoke the set twice, once
using "ip" and once using "ip6" match rule, without running into syntax
errors?
I could of course just define two separate sets to get something similar
to my alternative idea, and maybe I'll try that, but it gets kludgier
that way. :-(
Kind regards,
Wilmer van der Gaast.
--
+-------- .''`. - -- ---+ + - -- --- ---- ----- ------+
| wilmer : :' : gaast.net | | OSS Programmer www.bitlbee.org |
| lintux `. `~' debian.org | | Full-time geek wilmer.gaast.net |
+--- -- - ` ---------------+ +------ ----- ---- --- -- - +
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
