On Tue, Jan 30, 2024 at 10:05:48PM +0000, Kerin Millar wrote: > On Tue, 30 Jan 2024 19:34:30 +0000 > Slavko <linux@xxxxxxxxxx> wrote: > > + sets will store protocol agnostic L3 addresses and it doesn't > > matter (for me) if IPv4 will be mapped to IPv6 or these L3 sets > > will internally maintain two sets -- one for IPv4 and one for IPv6 > > Now that you mention it, I thought that I recalled someone filing a related issue at bugzilla but it seems that my memory is playing tricks on me. I can find no such issue now, although there is one that (sort of) proposed an equivalent to the list:set type of ipset. That one was rejected. For what it's worth, I had a look in bugzilla regarding easy rule writing two years or so ago, found a number of related bugs, none of them with a visible reaction, and decided to spend my time with more productive tasks. Sadly, I didn't take bookmarks, and looking again earlier this week didn't show any results. I might have looked differently back then > That seems a fair assessment to me. While iptables has the advantage of being simpler in many ways, the iptables(8) man page probably does a better job of on-boarding new users to the underlying concepts. Rusty Russell's guides and HOWTOs were also rather good in their day. Technical writing is a talent unto itself and some people are just naturally good at it (no offense intended to the current team, of course). Docs in Linux netfilter have been a problem in the last ten or so years. I remember myself suddenly in a situation of SIP no longer going through my (unchanged) iptables firewall after a kernel update to find a blog entry saying that you now need to have a rule sending a packet to the conntrack/nat helper explicitly for the helpers to work. I didn't find any place in the official docs where this major change was mentioned. I am sure that many of the new, nifty features of iptables, netfilter, nft remain grossly unused because they're not mentioned in rusty's documents which are still the gold standard of Linux firewall documentation. Isn't that sad? Greetings Marc -- ----------------------------------------------------------------------------- Marc Haber | "I don't trust Computers. They | Mailadresse im Header Leimen, Germany | lose things." Winona Ryder | Fon: *49 6224 1600402 Nordisch by Nature | How to make an American Quilt | Fax: *49 6224 1600421
