Sylvain Munaut writes ("Re: [PATCH 3/5] hotplug/linux: Improve iptables logic"):
> I used the "any" keywords because when you add v6 you need to
> differentiate the case "none" allowed and "any" allowed to support the
> case where only v6 or only v4 is allowed. So you can't just rely on
> having an
Hi,
> I meant that rather than having a subroutine which adds a wildcard
> rule, you have an explicit "any" address, and tracking if it's been
> added, etc.
I used the "any" keywords because when you add v6 you need to
differentiate the case "none" allowed and "any" allowed to support the
case w
Sylvain Munaut writes ("Re: [PATCH 3/5] hotplug/linux: Improve iptables logic"):
> And just moving the 'out' rule outside of frob_iptables alltogether
> seems hackish to me, especially when you add IPv6 later on because you
> have iptables manipulations spread around.
Sorry for the terseness of my
Hi,
> AFIACT the duplicate entries are simply because
>
>> - iptables "$c" FORWARD -w $dev_in_match "$dev" \
>> -"$@" -j ACCEPT 2>/dev/null &&
>> - iptables "$c" FORWARD -w $dev_out_match "$dev" \
>> --j ACCEPT 2>/dev/null
>
> this second line, which does not contain "$@", is invoked onc
Sylvain Munaut writes ("[PATCH 3/5] hotplug/linux: Improve iptables logic"):
> The main goal of this is to pave the way for IPv6 support, but it
> also improves the rules by preventing duplicate incoming packets
> rules to be added.
>
> frob_iptables now takes a list of address to handle as parame
The main goal of this is to pave the way for IPv6 support, but it
also improves the rules by preventing duplicate incoming packets
rules to be added.
frob_iptables now takes a list of address to handle as parameter
and creates the rules as needed. Any 'common' rule is no longer
repeated.
Here bel
