On Wed, 27 Feb 2019, Pierre Colombier wrote: > Hi I feel the documentation quite unclear with this matcher. > > http://ipset.netfilter.org/iptables-extensions.man.html#lbBS > > the bahaviour is also counter intuituitive > > as an exemple > > If I receive an Ipsec encapsulated Gre packet, then rule with --dir in --pol > none will match ESP packet. > > and rule with --dir in --pol ipsec will match Gre packet. > > By the way, what is the meaning of in/out in the forward context ? > > A little documentation and explanations about why things are named the way > they are would be a great enhancement. The documentation you are referring to is about ipset and not ipsec. Best regards, Jozsef - E-mail : kadlec@xxxxxxxxxxxxxxxxx, kadlecsik.jozsef@xxxxxxxxxxxxx PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt Address : Wigner Research Centre for Physics, Hungarian Academy of Sciences H-1525 Budapest 114, POB. 49, Hungary
