On 9/19/10 9:40 AM, Tom Eastep wrote: > On 09/19/2010 09:33 AM, Mr Dash Four wrote: >> One of the limitations in ipset is that it does not allow me to specify >> IP,Port pairs in the same construct (map, hashmap etc) where the IP >> address is not a B-class address (/16). To overcome this issue I have >> resorted to some creative Shorewall statements in my rules file like: >> >> ACCEPT $FW:+dest-port-map[dst] net:+dest-ip-map >> >> This produces the right result, in a round-about way (it produces a code >> containing 2 match-set constructs - both are 'dst'). > > That's the best way to do what you are trying to do. > >> >> Is there another - preferably more straight-forward - possibility? I was >> thinking of, may be, separating the second part (net:...) with comas and >> using something like: >> >> ACCEPT $FW net:+dest-ip-map,+dest-port-map > > That syntax is already supported but produces two separate rules; been that > way forever so changing it is not an option. > >> >> but do not know whether it is possible to implement in Shorewall? The >> above alternative would also allow me to include ipset pairs containing >> protocols (udp, tcp, icmp even) > > I'll think about an alternative syntax for 4.4.14...
4.4.14 will support this syntax:
ACCEPT $FW net:[+dest-ip-map,+dest-port-map],...
Using [...] to delimit the ipset list allows embedded [src|dst,...] to
be handled easily.
-Tom
--
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Start uncovering the many advantages of virtual appliances and start using them to simplify application deployment and accelerate your shift to cloud computing. http://p.sf.net/sfu/novell-sfdev2dev
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
