On 9/19/10 12:41 PM, Mr Dash Four wrote: > >> 4.4.14 will support this syntax: >> >> ACCEPT $FW net:[+dest-ip-map,+dest-port-map],... >> >> Using [...] to delimit the ipset list allows embedded [src|dst,...] to >> be handled easily. >> > I presume whether it would be src or dst will be determined by its > positioning, for example: > > ACCEPT $FW[+src-ip-map,src-port-map] net:[+dst-ip-map,+dst-port-map] > > as there won't be any restrictions as to the number of ipsets included. > > Also, would it not make more sense to use this syntax: > net:+[dst-ip-map,dst-port-map] or is that not doable (saving a plus sign > and it looks more ... logical)?
Good suggestion. > > Another thing I haven't thought of, but you need to account if you are > to implement this: currently ipsets with triplets, whatever they are, > definitely include a protocol name, so potentially there may be a clash > (for example when I have udp in my src triplet and then specify another > triplet having tcp protocol as my dst). I don't understand the problem -- sorry. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Start uncovering the many advantages of virtual appliances and start using them to simplify application deployment and accelerate your shift to cloud computing. http://p.sf.net/sfu/novell-sfdev2dev
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
