Possible bug, though I do not know whether it is Shorewall- or ipset-related.
The following statement in my rules file used to work with the previous version of Shorewall (again, I don't remember whether the ipset version has also changed since the last built): ACCEPT $FW:+vpn-local-port net:+vpn-ec2-hosts[dst,dst] udp vpn-local-port is a standard portmap-type set. vpn-ec2-hosts, however, is ipporthash (IP:Port combination). The above statement translates to the following line in my fw2net chain: 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 match-set vpn-local-port src match-set vpn-ec2-hosts dst I am not sure whether I've had the "dst" bit twice (i.e. "dst,dst") with the second match-set with the previous version of Shorewall/ipset, but the above definitely does NOT work and I am now getting DROP alarms, which isn't right! My ipset version is 4.2. ------------------------------------------------------------------------------ Start uncovering the many advantages of virtual appliances and start using them to simplify application deployment and accelerate your shift to cloud computing http://p.sf.net/sfu/novell-sfdev2dev _______________________________________________ Shorewall-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-devel
