>> Another thing I haven't thought of, but you need to account if you are >> to implement this: currently ipsets with triplets, whatever they are, >> definitely include a protocol name, so potentially there may be a clash >> (for example when I have udp in my src triplet and then specify another >> triplet having tcp protocol as my dst). >> > > I don't understand the problem -- sorry. > My fault, sorry! This functionality was, apparently, removed in the newer versions of ipset, so adding protocol in the set is no longer possible.
The possible triplet combinations left in the current ipset are IP,port,IP and IP,port,IP/cidr-size, though with the above additions to 4.4.14 this can be expanded with more natural matches, like IP,port,IP,port for example, though the protocol, as it stands, has to be specified outside the set - there is no getting around this limitation as far as I can see. In the older versions of ipset I could use triplets in the form of IP,port,protocol, which suited me fine and I could have one set for list of hosts,ports and protocols (though Shorewall was the problem then as I could not fit all three of IP, port and protocol using one set AND use Shorewall at the same time without reverting to manual hacking). The conclusion - not every new version is better than the previous one (I mean ipset, not Shorewall). ------------------------------------------------------------------------------ Start uncovering the many advantages of virtual appliances and start using them to simplify application deployment and accelerate your shift to cloud computing. http://p.sf.net/sfu/novell-sfdev2dev _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
