@@ -190,6 +190,10 @@ enum ip_set_dim {
* If changed, new revision of iptables match/target is required.
*/
IPSET_DIM_MAX = 6,
+ /*
+ * Indicates whether the new 'iface' format (in/out) has been used.
+ */
+ IPSET_DIM_IFACE = 7,
};
/* Option flags for kernel operations */
@@ -198,6 +202,7 @@ enum ip_set_kopt {
IPSET_DIM_ONE_SRC = (1 << IPSET_DIM_ONE),
IPSET_DIM_TWO_SRC = (1 << IPSET_DIM_TWO),
IPSET_DIM_THREE_SRC = (1 << IPSET_DIM_THREE),
+ IPSET_DIM_IFACE_INOUT = (1 << IPSET_DIM_IFACE),
};
#endif /* __IP_SET_H */
@@ -800,10 +800,10 @@ set, or by the host prefix value if the set is empty.
.PP
The second direction parameter of the \fBset\fR match and
\fBSET\fR target modules corresponds to the incoming/outgoing interface:
-\fBsrc\fR to the incoming one (similar to the \fB\-i\fR flag of iptables), while
-\fBdst\fR to the outgoing one (similar to the \fB\-o\fR flag of iptables). When
-the interface is flagged with \fBphysdev:\fR, the interface is interpreted
-as the incoming/outgoing bridge port.
+\fBin\fR for the incoming,
+\fBout\fR for the outgoing interface, thus, consistent with their appropriate flags in netfilter/iptables), while the format used in prior versions of ipset is also supported:
+\fBsrc\fR indicating the incoming and
+\fBdst\fR the outgoing interface respectively. If the interface value is preceded with \fBphysdev:\fR, the interface is then interpreted as bridge port.
.PP
The lookup time grows linearly with the number of the different prefix
values added to the set.
Userspace changes to ipset, allowing 'in' and 'out' values to be specified for the 'iface' part of hash:net,iface type sets. Man page updated accordingly. Signed-off-by: Mr Dash Four <mr.dash.four@googlemail.com> --- include/libipset/linux_ip_set.h | 5 +++++ src/ipset.8 | 8 ++++---- 2 files changed, 9 insertions(+), 4 deletions(-)