Re: [ANNOUNCE] ipset 6.13 released

From: Mr Dash Four <mr.dash.four@googlemail.com>
To: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Cc: netfilter@vger.kernel.org, netfilter-devel@vger.kernel.org,
	Patrick McHardy <kaber@trash.net>
Subject: Re: [ANNOUNCE] ipset 6.13 released
Date: Sun, 01 Jul 2012 14:17:14 +0100	[thread overview]
Message-ID: <4FF04DDA.3020609@googlemail.com> (raw)
In-Reply-To: <alpine.DEB.2.00.1207011446260.2486@blackhole.kfki.hu>

> Yes. You argue the meaning of a keyword. The meaning is well documented in 
> the manpage, but it's totally counter-intuitive for you. Changing the 
> meaning might break working firewalls. Therefore the meaning won't be 
> changed.
>   
This isn't simply a question of "meaning" - it is an issue caused by the 
fact that you have introduced something which, it seems, wasn't properly 
checked initially for whatever reason and that is causing a great deal 
of inconsistency and inconvenience for people, like myself, who use 
ipset on a daily basis.

When I match an incoming packet destined to an IP address for example, I 
have to use, quite rightly, a "dst" designation, but when I match 
against the interface to which this same IP address belongs to, 
according to your man page, I have to use "src" instead - all this, 
simply because you didn't check this properly when hash:net,iface was 
first released and you can't be bothered, for one reason or another, to 
change it simply because "this has been out for a long time"?

Do you think that all the network admins out there will have to remember 
to use "dst" when matching on destination IP addresses, port numbers 
etc, but use exactly the opposite designation - "src" - when matching on 
the same destination interface that same IP address belongs to? Do you 
not see how inconvenient and downright misleading this is? If you can't, 
you are beyond hope, I am afraid.

Right, I am going to include Patrick in this as this whole saga is 
becoming something of a monologue and I need a bit of clarity on this.