[Bug 1184] disable implicit concatenating of elements of sets with flag interval
bugzilla-daemon at netfilter.org
bugzilla-daemon at netfilter.org
Mon Oct 9 09:59:11 CEST 2017
https://bugzilla.netfilter.org/show_bug.cgi?id=1184
--- Comment #7 from Karel Rericha <karel at unitednetworks.cz> ---
(In reply to Pablo Neira Ayuso from comment #5)
> Hi Karel,
>
> (In reply to Karel Rericha from comment #4)
> If we go for this variant, we would need to disable automerge in implicit
> sets by default too, eg.
>
> # nft add rule x y ip saddr { 1.1.1.1, 1.1.1.2, 1.1.1.4-1.1.1.6 }
>
> # nft list ruleset
> ...
> ip saddr { 1.1.1.1-1.1.1.2, 1.1.1.4-1.1.1.6 }
>
> So we don't automagically do this things. I would say it's better if we
> leave this feature for someone that the user can explicitly request, though
> global policy, or through some new nft option to request an explicit ruleset
> optimization.
Hi Pablo,
I am back from vacation. Regarding anonymous (implicit) sets automerge is good
thing and we can leave it enabled by default, because it doesnt break things,
so let anonymous sets have hidden automerge flag (they have actually already
hidden interval flag).
But in named sets automerge break things for sure. So let it be explicit flag.
And I am against moving this to some kind of global policy or option for few
reasons:
- optimization by my feeling should never break things
- it is perfectly possible to request automerge and non automerge interval
named sets in one ruleset
- disable automerge on anonymous sets brings only one thing: set will appear
different in rule listing than it was entered (and that is inconsistency we can
live with, because it is already broken by hidden interval flag in anonymous
sets, see following ...)
nft add rule x y ip saddr { 1.1.1.0-1.1.1.1 } accept
lists already as
ip saddr { 1.1.1.0/31 } accept
So we can make automerge explicit in anonymous sets somehow too, but it has no
point if we dont make interval flag explicit too.
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20171009/18ffe584/attachment.html>
More information about the netfilter-buglog
mailing list