<html>
<head>
<base href="https://bugzilla.netfilter.org/" />
</head>
<body>
<p>
<div>
<b><a class="bz_bug_link
bz_status_ASSIGNED "
title="ASSIGNED - disable implicit concatenating of elements of sets with flag interval"
href="https://bugzilla.netfilter.org/show_bug.cgi?id=1184#c7">Comment # 7</a>
on <a class="bz_bug_link
bz_status_ASSIGNED "
title="ASSIGNED - disable implicit concatenating of elements of sets with flag interval"
href="https://bugzilla.netfilter.org/show_bug.cgi?id=1184">bug 1184</a>
from <span class="vcard"><a class="email" href="mailto:karel@unitednetworks.cz" title="Karel Rericha <karel@unitednetworks.cz>"> <span class="fn">Karel Rericha</span></a>
</span></b>
<pre>(In reply to Pablo Neira Ayuso from <a href="show_bug.cgi?id=1184#c5">comment #5</a>)
<span class="quote">> Hi Karel,
>
> (In reply to Karel Rericha from <a href="show_bug.cgi?id=1184#c4">comment #4</a>)
> If we go for this variant, we would need to disable automerge in implicit
> sets by default too, eg.
>
> # nft add rule x y ip saddr { 1.1.1.1, 1.1.1.2, 1.1.1.4-1.1.1.6 }
>
> # nft list ruleset
> ...
> ip saddr { 1.1.1.1-1.1.1.2, 1.1.1.4-1.1.1.6 }
>
> So we don't automagically do this things. I would say it's better if we
> leave this feature for someone that the user can explicitly request, though
> global policy, or through some new nft option to request an explicit ruleset
> optimization.</span >
Hi Pablo,
I am back from vacation. Regarding anonymous (implicit) sets automerge is good
thing and we can leave it enabled by default, because it doesnt break things,
so let anonymous sets have hidden automerge flag (they have actually already
hidden interval flag).
But in named sets automerge break things for sure. So let it be explicit flag.
And I am against moving this to some kind of global policy or option for few
reasons:
- optimization by my feeling should never break things
- it is perfectly possible to request automerge and non automerge interval
named sets in one ruleset
- disable automerge on anonymous sets brings only one thing: set will appear
different in rule listing than it was entered (and that is inconsistency we can
live with, because it is already broken by hidden interval flag in anonymous
sets, see following ...)
nft add rule x y ip saddr { 1.1.1.0-1.1.1.1 } accept
lists already as
ip saddr { 1.1.1.0/31 } accept
So we can make automerge explicit in anonymous sets somehow too, but it has no
point if we dont make interval flag explicit too.</pre>
</div>
</p>
<hr>
<span>You are receiving this mail because:</span>
<ul>
<li>You are watching all bug changes.</li>
</ul>
</body>
</html>