> 4.4.14 will support this syntax: > > ACCEPT $FW net:[+dest-ip-map,+dest-port-map],... > > Using [...] to delimit the ipset list allows embedded [src|dst,...] to > be handled easily. > I presume whether it would be src or dst will be determined by its positioning, for example:
ACCEPT $FW[+src-ip-map,src-port-map] net:[+dst-ip-map,+dst-port-map] as there won't be any restrictions as to the number of ipsets included. Also, would it not make more sense to use this syntax: net:+[dst-ip-map,dst-port-map] or is that not doable (saving a plus sign and it looks more ... logical)? Another thing I haven't thought of, but you need to account if you are to implement this: currently ipsets with triplets, whatever they are, definitely include a protocol name, so potentially there may be a clash (for example when I have udp in my src triplet and then specify another triplet having tcp protocol as my dst). ------------------------------------------------------------------------------ Start uncovering the many advantages of virtual appliances and start using them to simplify application deployment and accelerate your shift to cloud computing. http://p.sf.net/sfu/novell-sfdev2dev _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
