From: Amos Jeffries <squid3@treenet.co.nz>
To: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Cc: Mr Dash Four <mr.dash.four@googlemail.com>,
<netfilter@vger.kernel.org>, <netfilter-devel@vger.kernel.org>,
Patrick McHardy <kaber@trash.net>
Subject: Re: [ANNOUNCE] ipset 6.13 released
Date: Mon, 02 Jul 2012 10:58:56 +1200 [thread overview]
Message-ID: <f1ffdaf291ae86a1e111d3edbae4cfa3@treenet.co.nz> (raw)
In-Reply-To: <alpine.DEB.2.00.1207011646110.2749@blackhole.kfki.hu>
On 02.07.2012 03:21, Jozsef Kadlecsik wrote:
> On Sun, 1 Jul 2012, Mr Dash Four wrote:
>
>> > the manpage, but it's totally counter-intuitive for you. Changing
>> the
>> > meaning might break working firewalls. Therefore the meaning won't
>> be
>> > changed.
>> >
>> This isn't simply a question of "meaning" - it is an issue caused by
>> the
>> fact that you have introduced something which, it seems, wasn't
>> properly
>> checked initially for whatever reason and that is causing a great
>> deal
>> of inconsistency and inconvenience for people, like myself, who use
>> ipset on a daily basis.
>
> I have to weight the "great deal of inconsistency and inconvenience"
> caused to you against breaking firewall setups out there. I really
> appreciate your comments, but in this case you should adapt.
>
>> When I match an incoming packet destined to an IP address for
>> example, I
>> have to use, quite rightly, a "dst" designation, but when I match
>> against the interface to which this same IP address belongs to,
>> according to your man page, I have to use "src" instead - all this,
>> simply because you didn't check this properly when hash:net,iface
>> was
>> first released and you can't be bothered, for one reason or another,
>> to
>> change it simply because "this has been out for a long time"?
>>
>> Do you think that all the network admins out there will have to
>> remember
>> to use "dst" when matching on destination IP addresses, port numbers
>> etc, but use exactly the opposite designation - "src" - when
>> matching on
>> the same destination interface that same IP address belongs to? Do
>> you
>> not see how inconvenient and downright misleading this is? If you
>> can't,
>> you are beyond hope, I am afraid.
>
> Do you think all admins constantly read all changelogs, mailing lists
> about all the software they use to catch backward incompatible
> changes?
> You are aware of the "inconveniece", and you could adapt yourself to
> it
> anytime. I'm responsible for every user, for those who never read
> these
> mailing lists as well.
>
>> Right, I am going to include Patrick in this as this whole saga is
>> becoming
>> something of a monologue and I need a bit of clarity on this.
>
> Feel free to involve anyone. Just to sum up: in the case of the
> net:hash,iface type of ipset, the manpage says
>
> "The second direction parameter of the set match and SET target
> modules
> corresponds to the incoming/outgoing interface: src to the incoming
> one
> (similar to the -i flag of iptables), while dst to the outgoing one
> (similar to the -o flag of iptables)."
>
> You argue that the meaning of src/dst for the interface part is
> counter-intuitieve and therefore must be reversed - regardless of the
> backward compatibility issue and the possible breaking of existing
> setups.
Jozsef,
just my 3c on this discussion to see if its any help.
As you say Mr Dash Four brings up a good point about confusion. It
certainly seems to confuse him/her, and very likely others with less
documentation reading experience.
IME the practice when this type of thing happens is good to find some
alternative clear naming for the parameters and to deprecate the old
ones. That allows the old names to be dropped from documented use, but
kept supported for existing config with a warning that admin need to
check the docs for new usage.
For myself, given the man page snippet it is clear what you intended
src/dst to be the "local" src/dst. But it is inconsistent with iptables
usages of src/dst and will trip up anyone not reading that page. Which
is not a good situation to be in.
Having been in that situation myself I sympathize and had this same
argument about the same scope concept with other developers several
times now. We usually end up using some form of "local" terminology for
the box internal details to differentiate from end-to-end scope
terminology. In this case --iface-ip / --oface-ip would probably be the
clearest contenders for your selection. But that is up to you.
/3c
HTH
AYJ
WARNING: multiple messages have this Message-ID (diff)
From: Amos Jeffries <squid3@treenet.co.nz>
To: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Cc: Mr Dash Four <mr.dash.four@googlemail.com>,
netfilter@vger.kernel.org, netfilter-devel@vger.kernel.org,
Patrick McHardy <kaber@trash.net>
Subject: Re: [ANNOUNCE] ipset 6.13 released
Date: Mon, 02 Jul 2012 10:58:56 +1200 [thread overview]
Message-ID: <f1ffdaf291ae86a1e111d3edbae4cfa3@treenet.co.nz> (raw)
In-Reply-To: <alpine.DEB.2.00.1207011646110.2749@blackhole.kfki.hu>
On 02.07.2012 03:21, Jozsef Kadlecsik wrote:
> On Sun, 1 Jul 2012, Mr Dash Four wrote:
>
>> > the manpage, but it's totally counter-intuitive for you. Changing
>> the
>> > meaning might break working firewalls. Therefore the meaning won't
>> be
>> > changed.
>> >
>> This isn't simply a question of "meaning" - it is an issue caused by
>> the
>> fact that you have introduced something which, it seems, wasn't
>> properly
>> checked initially for whatever reason and that is causing a great
>> deal
>> of inconsistency and inconvenience for people, like myself, who use
>> ipset on a daily basis.
>
> I have to weight the "great deal of inconsistency and inconvenience"
> caused to you against breaking firewall setups out there. I really
> appreciate your comments, but in this case you should adapt.
>
>> When I match an incoming packet destined to an IP address for
>> example, I
>> have to use, quite rightly, a "dst" designation, but when I match
>> against the interface to which this same IP address belongs to,
>> according to your man page, I have to use "src" instead - all this,
>> simply because you didn't check this properly when hash:net,iface
>> was
>> first released and you can't be bothered, for one reason or another,
>> to
>> change it simply because "this has been out for a long time"?
>>
>> Do you think that all the network admins out there will have to
>> remember
>> to use "dst" when matching on destination IP addresses, port numbers
>> etc, but use exactly the opposite designation - "src" - when
>> matching on
>> the same destination interface that same IP address belongs to? Do
>> you
>> not see how inconvenient and downright misleading this is? If you
>> can't,
>> you are beyond hope, I am afraid.
>
> Do you think all admins constantly read all changelogs, mailing lists
> about all the software they use to catch backward incompatible
> changes?
> You are aware of the "inconveniece", and you could adapt yourself to
> it
> anytime. I'm responsible for every user, for those who never read
> these
> mailing lists as well.
>
>> Right, I am going to include Patrick in this as this whole saga is
>> becoming
>> something of a monologue and I need a bit of clarity on this.
>
> Feel free to involve anyone. Just to sum up: in the case of the
> net:hash,iface type of ipset, the manpage says
>
> "The second direction parameter of the set match and SET target
> modules
> corresponds to the incoming/outgoing interface: src to the incoming
> one
> (similar to the -i flag of iptables), while dst to the outgoing one
> (similar to the -o flag of iptables)."
>
> You argue that the meaning of src/dst for the interface part is
> counter-intuitieve and therefore must be reversed - regardless of the
> backward compatibility issue and the possible breaking of existing
> setups.
Jozsef,
just my 3c on this discussion to see if its any help.
As you say Mr Dash Four brings up a good point about confusion. It
certainly seems to confuse him/her, and very likely others with less
documentation reading experience.
IME the practice when this type of thing happens is good to find some
alternative clear naming for the parameters and to deprecate the old
ones. That allows the old names to be dropped from documented use, but
kept supported for existing config with a warning that admin need to
check the docs for new usage.
For myself, given the man page snippet it is clear what you intended
src/dst to be the "local" src/dst. But it is inconsistent with iptables
usages of src/dst and will trip up anyone not reading that page. Which
is not a good situation to be in.
Having been in that situation myself I sympathize and had this same
argument about the same scope concept with other developers several
times now. We usually end up using some form of "local" terminology for
the box internal details to differentiate from end-to-end scope
terminology. In this case --iface-ip / --oface-ip would probably be the
clearest contenders for your selection. But that is up to you.
/3c
HTH
AYJ
next prev parent reply other threads:[~2012-07-01 22:58 UTC|newest]
Thread overview: 37+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-06-29 20:04 [ANNOUNCE] ipset 6.13 released Jozsef Kadlecsik
2012-06-30 18:47 ` Jan Engelhardt
2012-06-30 18:47 ` [PATCH] build: restore -version-info Jan Engelhardt
2012-06-30 22:05 ` Jozsef Kadlecsik
2012-06-30 22:15 ` Jan Engelhardt
2012-06-30 22:31 ` Jozsef Kadlecsik
2012-06-30 22:50 ` Jan Engelhardt
2012-07-01 12:11 ` Jozsef Kadlecsik
2012-07-01 16:03 ` Jan Engelhardt
2012-07-01 17:20 ` Jozsef Kadlecsik
2012-07-01 18:36 ` Jan Engelhardt
2012-07-01 20:45 ` Jozsef Kadlecsik
2012-07-01 10:46 ` [ANNOUNCE] ipset 6.13 released Mr Dash Four
2012-07-01 12:09 ` Jozsef Kadlecsik
2012-07-01 12:19 ` Mr Dash Four
2012-07-01 12:37 ` Jozsef Kadlecsik
2012-07-01 12:44 ` Mr Dash Four
2012-07-01 12:52 ` Jozsef Kadlecsik
2012-07-01 13:17 ` Mr Dash Four
2012-07-01 15:21 ` Jozsef Kadlecsik
2012-07-01 16:52 ` Mr Dash Four
2012-07-01 21:30 ` Neal Murphy
2012-07-01 21:55 ` Jan Engelhardt
2012-07-01 22:59 ` Neal Murphy
2012-07-01 22:58 ` Amos Jeffries [this message]
2012-07-01 22:58 ` Amos Jeffries
2012-07-02 7:54 ` Jozsef Kadlecsik
2012-07-02 13:11 ` Mr Dash Four
2012-07-02 13:26 ` Jozsef Kadlecsik
2012-07-02 14:28 ` Mr Dash Four
2012-07-02 20:26 ` Jozsef Kadlecsik
2012-07-10 16:27 ` Alex Bligh
2012-07-10 16:27 ` Alex Bligh
2012-07-01 18:32 ` Steven Kath
2012-07-01 13:21 ` Andreas Herz
2012-07-01 14:44 ` Jozsef Kadlecsik
2012-07-10 9:12 ` Andreas Herz
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=f1ffdaf291ae86a1e111d3edbae4cfa3@treenet.co.nz \
--to=squid3@treenet.co.nz \
--cc=kaber@trash.net \
--cc=kadlec@blackhole.kfki.hu \
--cc=mr.dash.four@googlemail.com \
--cc=netfilter-devel@vger.kernel.org \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.