So for some reason the replies to this never made it back to my inbox (even though I see some have been made from the online view: https://marc.info/?l=netfilter&m=152096936118812&w=2) so I'm just going to reply here and hopefully "get back into" the conversation... @Robert: > If you actually meant "hash:net,port,net" Yes, I did; sorry about that. "hash:net,port,net" > it's one of the express examples at the bottom of the > Concatenations page under the "Some ipset types" heading. That's actually *exactly* what I'm referring to! The hash:net,port,net example is *not* equivalent to the ipset's hash:net,port,hash, even though the wiki leads one to believe they are equivalent. The key difference between the two is that with ipset, one can add multiple *differently sized* subnets to one set, and therefore only have one rule in iptables. In the case of nftables, a concatenated set can [essentially] only have one sized subnet, because the subnet size is in the rule. With iptables, I could throw a ton of differently sized subnets (net,port,net) into a set and only have one rule. With nftables' concatentations (a regular interval set works fine, of course), I essentially need to have a set for every different subnet length, and have one rule per each subnet. See the difference? On Mon, Mar 12, 2018 at 8:36 PM, Fran Fitzpatrick <francis.x.fitzpatrick@xxxxxxxxx> wrote: > Hi all, > > One feature that I've noticed is missing is that there is no > hash:port:hash equivalent in nftables, which I'm starting to think is > quite a big gap. > > Currently the wiki > (https://wiki.nftables.org/wiki-nftables/index.php/Concatenations#Examples) > says that you can do this, however this will only work for one subnet > per set. So, you cannot have a large set of differently sized > subnets. > > So, I'm worried this may have went unnoticed especially since the wiki > thinks you can (however, it's very limited). > > Does anyone know if there is any effort going on to remedy this? And > what would be the best way to put in a feature request if it is not > being worked on? > > Thank you, > Fran Fitzpatrick -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
