On Sunday 01 July 2012 11:21:51 Jozsef Kadlecsik wrote:
> Feel free to involve anyone. Just to sum up: in the case of the
> net:hash,iface type of ipset, the manpage says
>
> "The second direction parameter of the set match and SET target modules
> corresponds to the incoming/outgoing interface: src to the incoming one
> (similar to the -i flag of iptables), while dst to the outgoing one
> (similar to the -o flag of iptables)."
>
> You argue that the meaning of src/dst for the interface part is
> counter-intuitieve and therefore must be reversed - regardless of the
> backward compatibility issue and the possible breaking of existing setups.
FWIW, I think the existing semantics are spot-on.
- Where did this packet come from (what was its source)?
It came from src IF eth0.
- Where is this packet going (what is its destination)?
It is going to dst IF eth3.
Picture yourself standing in the middle of a (shallow) river. By Mr. Dash
Four's logic, upstream (where the water comes from) is the destination and
downstream (where the water is going) is the source; it's rather non-sensical.
A stream of packets, just like a stream of water, flows from its source toward
its destination. (A pedant might say that to swap 'source' and 'destination'
would be to pervert language. And language is about the only thing we can use
to communicate.)
Perhaps it would help to view netfilter as a small wayside in the universe of
IPv[46], rather than the center of that universe.
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
