Re: ipset vs. nftables set

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue, Nov 12, 2024 at 07:44:17PM +0000, Kerin Millar wrote:
> On Tue, 12 Nov 2024, at 6:18 PM, Florian Westphal wrote:
> > Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> wrote:
> >> > But one can have multiple hooks (chains) in one table, even with the
> >> > same priority (i not suggest that). Thus one can combine multiple
> >> > tables into one and share sets, eg. in raw & filter hooks.
> >> 
> >> Don't do that, please.
> >
> > Why not?  Single-table approach makes sense, in my opinion,
> > provided that single table is controlled by single entity, be
> > that a program like firewalld or traditional sysadmin.
> >
> > With multi-table things become awkward due to the imposed
> > scoping rules that prevent cross-table use of sets/maps.
> 
> I read it as being an objection to (potentially) using hooks that
> duplicate one another exactly. Mind you, if it be considered so
> objectionable, why doesn't nft refuse to compile rulesets that do
> this? Or, at least, raise a warning.

A warning to what? example?




[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux