Re: Combine ipv4 and ipv6 in a set

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue, Jan 30, 2024 at 10:05:48PM +0000, Kerin Millar wrote:
> On Tue, 30 Jan 2024 19:34:30 +0000
> Slavko <linux@xxxxxxxxxx> wrote:
> > + sets will store protocol agnostic L3 addresses and it doesn't
> >   matter (for me) if IPv4 will be mapped to IPv6 or these L3 sets
> >   will internally maintain two sets -- one for IPv4 and one for IPv6
> 
> Now that you mention it, I thought that I recalled someone filing a related issue at bugzilla but it seems that my memory is playing tricks on me. I can find no such issue now, although there is one that (sort of) proposed an equivalent to the list:set type of ipset. That one was rejected.

For what it's worth, I had a look in bugzilla regarding easy rule
writing two years or so ago, found a number of related bugs, none of
them with a visible reaction, and decided to spend my time with more
productive tasks. Sadly, I didn't take bookmarks, and looking again
earlier this week didn't show any results. I might have looked
differently back then

> That seems a fair assessment to me. While iptables has the advantage of being simpler in many ways, the iptables(8) man page probably does a better job of on-boarding new users to the underlying concepts. Rusty Russell's guides and HOWTOs were also rather good in their day. Technical writing is a talent unto itself and some people are just naturally good at it (no offense intended to the current team, of course).

Docs in Linux netfilter have been a problem in the last ten or so years.
I remember myself suddenly in a situation of SIP no longer going through
my (unchanged) iptables firewall after a kernel update to find a blog
entry saying that you now need to have a rule sending a packet to the
conntrack/nat helper explicitly for the helpers to work. I didn't find
any place in the official docs where this major change was mentioned.

I am sure that many of the new, nifty features of iptables, netfilter,
nft remain grossly unused because they're not mentioned in rusty's
documents which are still the gold standard of Linux firewall
documentation.

Isn't that sad?

Greetings
Marc

-- 
-----------------------------------------------------------------------------
Marc Haber         | "I don't trust Computers. They | Mailadresse im Header
Leimen, Germany    |  lose things."    Winona Ryder | Fon: *49 6224 1600402
Nordisch by Nature |  How to make an American Quilt | Fax: *49 6224 1600421




[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux