On Tue, Jan 30, 2024 at 05:00:50PM +0000, Slavko wrote: > Dňa 30. januára 2024 15:17:32 UTC používateľ Kerin Millar <kfm@xxxxxxxxxxxxx> napísal: > > >Granted, one cannot create a set that is typed in such a way that an element can be either an IPv4 or IPv6 address/interval. > > Nowadays IPv6 becomes more and more common. While allmost all > can stay on IP(v4) only host, not all can use IPv6 only host (yet, as many > services are still IPv4 only). In other words, many will have dual stack, > to can access (or be accessible for) all and they will need dual stack FW, > and IMO will need it for many years. The correct way to do it would be to develop/install for IPv6 only TODAY and use a transition technology (NAT64/DNS64 for example for client access, and reverse proxies for services) to support IPv4 as a legacy protocol. > Having separate support for IPv4 and IPv6 was acceptable at time, when > ip6tables was born, but nowadays IMO firewall cannot be named modern, > if any of its part separates that. And any argument (memory, complexity, > etc) against it is pointles, as dual stacks are (and will be) here. I find it ok to have separated rule set for IPv4 and IPv6. They are different protocols in the first place. But it should be possible to hide this separation from the person writing the rules, making it possible to have a definition for a dual-stack host, creating dual-stack rules without even noticing that. Greetings Marc -- ----------------------------------------------------------------------------- Marc Haber | "I don't trust Computers. They | Mailadresse im Header Leimen, Germany | lose things." Winona Ryder | Fon: *49 6224 1600402 Nordisch by Nature | How to make an American Quilt | Fax: *49 6224 1600421