> No, that's a totally wrong way. ipset is independent from > iptables/ip6tables: you cannot refer to a match/target/chain from ipset. > It also makes no sense to reimplement those in ipset. Yes. Thats obvious that iptables need to do decision handling, packet flow, etc. Just that, I want to store that information in ipset using which iptables can decide. Clearly, iptables also need to have support of these modified/new ipset. > If you miss functionality in nftables compared to ipset, then invest your > energy in nftables instead. Dictionaries, maps are already there. This looks to me more promising from day 1. However, are all functionalities of iptables, ipset incorporated in nftables? For eg., can we store connmark and tc classid in skbinfo of named set in nftables?
