Re: ipset vs. nftables set

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue, 12 Nov 2024, at 7:57 PM, Pablo Neira Ayuso wrote:
> On Tue, Nov 12, 2024 at 07:44:17PM +0000, Kerin Millar wrote:
>> On Tue, 12 Nov 2024, at 6:18 PM, Florian Westphal wrote:
>> > Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> wrote:
>> >> > But one can have multiple hooks (chains) in one table, even with the
>> >> > same priority (i not suggest that). Thus one can combine multiple
>> >> > tables into one and share sets, eg. in raw & filter hooks.
>> >> 
>> >> Don't do that, please.
>> >
>> > Why not?  Single-table approach makes sense, in my opinion,
>> > provided that single table is controlled by single entity, be
>> > that a program like firewalld or traditional sysadmin.
>> >
>> > With multi-table things become awkward due to the imposed
>> > scoping rules that prevent cross-table use of sets/maps.
>> 
>> I read it as being an objection to (potentially) using hooks that
>> duplicate one another exactly. Mind you, if it be considered so
>> objectionable, why doesn't nft refuse to compile rulesets that do
>> this? Or, at least, raise a warning.
>
> A warning to what? example?

First of all, what was the nature of the objection? The use of the word, that, was unclear.

If my interpretation that you were objecting to the use of multiple, equivalent hooks - with the same priority - was correct, then I'm effectively posing the question, "why doesn't the tooling reflect the underlying philosophy?"

If my interpretation was incorrect, then my post can be disregarded. However, I would still be none the wiser as to what you were instructing Slavko not to do.

--
Kerin Millar




[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux