On Sun, Sep 06, 2015 at 07:52:47PM +0100, Wilmer van der Gaast wrote: > Hello, > > The "inet" family is a great idea for unifying IPv4 and IPv6 > firewalling, but I just ran into one thing I'm missing. > > nft lets me define sets with both IPv4 and IPv6 addresses, but once > I try using them things go wrong - I assume this means that the > addresses aren't actually parsed until that point? > > I can invoke the set from an ip match, and it will complain about > IPv6 addresses in the list being invalid. And vice versa, invoke the > set from an "ip6" match and the IPv4 addresses will cause parse > errors. > > Would it be possible to either have an "inet" match rule, or tell > nft to skip unknown address families so I could just invoke the set > twice, once using "ip" and once using "ip6" match rule, without > running into syntax errors? > > I could of course just define two separate sets to get something > similar to my alternative idea, and maybe I'll try that, but it gets > kludgier that way. :-( Could you illustrate with examples what you would like to have and the limitations you currently hitting? Thanks. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
