Hi Kristian, On Thu, 26 Sep 2019, Kristian Evensen wrote: > The net,iface equal functions currently compares the full interface > names. In several cases, wildcard (or prefix) matching is useful. For > example, when converting a large iptables rule-set to make use of ipset, > I was able to significantly reduce the number of set elements by making > use of wildcard matching. > > Wildcard matching is enabled by adding "wildcard" when adding an element > to a set. Internally, this causes the IPSET_FLAG_IFACE_WILDCARD-flag to > be set. When this flag is set, only the initial part of the interface > name is used for comparison. Sorry for the long delay - I'm still pondering on the syntax. ip[6]tables uses the "+" notation for prefix matching. So in order to be compatible with it, it'd be better to use "ifac+" instead of "ifac prefix". The parsing/printing could be solved in the interface parser/printer functions internally. What do you think? Best regards, Jozsef - E-mail : kadlec@xxxxxxxxxxxxxxxxx, kadlecsik.jozsef@xxxxxxxxxxxxx PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt Address : Wigner Research Centre for Physics H-1525 Budapest 114, POB. 49, Hungary
