On Thu, 2009-05-07 at 09:31 -0500, Susan Hinrichs wrote: > > Nftables will let you do that in the future > > > > http://lwn.net/Articles/324251/ > > > > Great! Looking forward to it. The dictionaries look great. I'll have > to start playing with the first version on a test machine. Do you know > what kind of MAC address support there is? Similar to the source mac > support in iptables? Sorry, can't help you there. It's probably best to ask concrete question about the planned features of nftables on netfilter-devel list, AFAIK it's still under heavy development. But as far as I understand the dictionary concept, mac address matching should become available at one point. " Sets (as everything else) operate on generic data and thus can be used for any kind of match." Until nftables becomes stable enough for production I myself am sticking with the chain tree approach (and ipset for simple IP match sets) -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
