Sylvain Munaut writes ("Re: [PATCH 3/5] hotplug/linux: Improve iptables logic"):
> I used the "any" keywords because when you add v6 you need to
> differentiate the case "none" allowed and "any" allowed to support the
> case where only v6 or only v4 is allowed. So you can't just rely on
> having an
Hi,
> I meant that rather than having a subroutine which adds a wildcard
> rule, you have an explicit "any" address, and tracking if it's been
> added, etc.
I used the "any" keywords because when you add v6 you need to
differentiate the case "none" allowed and "any" allowed to support the
case w
Sylvain Munaut writes ("Re: [PATCH 3/5] hotplug/linux: Improve iptables logic"):
> And just moving the 'out' rule outside of frob_iptables alltogether
> seems hackish to me, especially when you add IPv6 later on because you
> have iptables manipulations spread around.
Sorry for the terseness of my
Hi,
> AFIACT the duplicate entries are simply because
>
>> - iptables "$c" FORWARD -w $dev_in_match "$dev" \
>> -"$@" -j ACCEPT 2>/dev/null &&
>> - iptables "$c" FORWARD -w $dev_out_match "$dev" \
>> --j ACCEPT 2>/dev/null
>
> this second line, which does not contain "$@", is invoked onc
Sylvain Munaut writes ("[PATCH 3/5] hotplug/linux: Improve iptables logic"):
> The main goal of this is to pave the way for IPv6 support, but it
> also improves the rules by preventing duplicate incoming packets
> rules to be added.
>
> frob_iptables now takes a list of address to handle as parame
