I have just released ipset 6.13 with a few bugfixes and some new features.
Userspace changes:
- Explain in more detail src/dst for hash:net,iface
Assuming this is what you've had in mind (taken from "man ipset"):
The second direction parameter of the set match and
SET target modules corresponds to the incoming/outgoing interface:
src to the incoming one (similar to the -i flag of iptables), while
dst to the outgoing one (similar to the -o flag of iptables). When
the interface is flagged with physdev:, the interface is interpreted
as the incoming/outgoing bridge port.
I think that is plain wrong!
You refer to the incoming interface (interface on which packets arrive)
as the "source". That cannot be right. To me, it should be a
"destination", not "source" as the very definition of a "destination"
is where something ends, this is where a packet arrives and where the
journey of the packet "stops" (or where the packet is "destined" to
arrive anyway). It should definitely not be a "source" as the packet
does not originate there, nor does it start its journey there.
Similarly for the outgoing interface - this isn't a "destination"
interface as the packet doesn't arrive there - it is where it starts its
journey from!
So, I think you should reverse both definitions and match "src" with the
outgoing interface and "dst" with the incoming interface - exactly the
opposite of what you have now. Documenting something which was done
wrong in the first place doesn't make it right.
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
