MAC address ipsets should not be limited to a single family

[brianjmurrell]

If I have an ipset:

config ipset
	list match 'src_mac'
…

it seems that I cannot have multiple (i.e. any) family for it. Instead I need to maintain two duplicate ipsets each with option family 'ipv4' and option family 'ipv6' to be able to use in rules such as:

config rule
	option name 'FFA hosts can use the Internet'
	option ipset 'FFA-to-Internet_v4'
	option src 'lan'
	option dest 'wan'
	option target 'ACCEPT'
	option family 'any'
	list proto 'all'

config rule
	option name 'FFA hosts can use the Internet'
	option ipset 'FFA-to-Internet_v6'
	option src 'lan'
	option dest 'wan'
	option target 'ACCEPT'
	option family 'any'
	list proto 'all'

in order to produce the following two NFT rules:

                meta nfproto 2 ether saddr @FFA-to-Internet_v4 counter packets 65 bytes 6038 jump accept_to_wan comment "!fw4: FFA hosts can use the Internet" # handle 20166
                meta nfproto 10 ether saddr @FFA-to-Internet_v6 counter packets 207 bytes 24765 jump accept_to_wan comment "!fw4: FFA hosts can use the Internet" # handle 20167

NFT allows the above to be in a single rule:

                meta nfproto { 2, 10 } ether saddr @FFA-to-Internet_v4 counter packets 2188 bytes 194437 jump accept_to_wan # handle 20362

added manually with:

# nft add rule inet fw4 forward_lan position 20165 meta nfproto { ipv4, ipv6 } ether saddr @FFA-to-Internet_v4 counter packets 2149 bytes 190394 jump accept_to_wan

Could this family restriction on MAC based ipsets be lifted so that we don't have so much duplication and duplicated maintenance in the firewall config?

[brada4]

Will be addressed some day.
#35
You dont need to specify meta nfproto, as it has just 2 usable values nft describe meta nfproto