[Bug 1184] disable implicit concatenating of elements of sets with flag interval
bugzilla-daemon at netfilter.org
bugzilla-daemon at netfilter.org
Mon Oct 2 14:01:57 CEST 2017
https://bugzilla.netfilter.org/show_bug.cgi?id=1184
--- Comment #5 from Pablo Neira Ayuso <pablo at netfilter.org> ---
Hi Karel,
(In reply to Karel Rericha from comment #4)
> Hi Pablo,
>
> I would vote for variant #2.
>
> Disable automerge as default and add automerge flag. True it might break
> some very specific case when someone is expecting implicit automerge, but I
> would say it will be very rare. Much more often people will run into
> problems not expecting implicit automerge.
Agreed.
If we go for this variant, we would need to disable automerge in implicit sets
by default too, eg.
# nft add rule x y ip saddr { 1.1.1.1, 1.1.1.2, 1.1.1.4-1.1.1.6 }
# nft list ruleset
...
ip saddr { 1.1.1.1-1.1.1.2, 1.1.1.4-1.1.1.6 }
So we don't automagically do this things. I would say it's better if we leave
this feature for someone that the user can explicitly request, though global
policy, or through some new nft option to request an explicit ruleset
optimization.
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20171002/03a7cdeb/attachment.html>
More information about the netfilter-buglog
mailing list