> Beta 1 is now available for testing. It has a single enhancement over > 4.4.13: > > 1) Multiple source or destination ipset matches can be generated by > enclosing the ipset list in [...]. > > Example (/etc/shorewall/rules): > > ACCEPT $FW net:+[dest-ip-map,dest-port-map] > > See shorewall-ipsets(5) for additional information. > > Thank you for testing, > OK, I've done some testing and it works, though I came across something I am not sure it is to do with Shorewall:
1. ipset allows for macipmap to be defined - that is ip,mac combinations. Even though I did define such a set and set it properly in my rules file (which Shorewall translated properly) I do not seem to be able to get a match - don't know why. For example, I've set my local test bed with its ip,mac combo (i.e. src-ip-set[src,src]), I've got Shorewall's translation as match-set src-ip-set src,src, which seems to be right, though I cannot get any matches on that rule! 2. Shorewall allows for some, frankly, ridiculous combinations like DROP $FW:+[ip-set[src],ip-port-map[dst,dst]] net:+[ip-set[dst],ip-port-map[src,src]] The above translates without error and produces matches, which are then passed on to iptables (successfully!), though there is absolutely no chance of the above rule producing any match. I have no idea if/how you could stop this (or if you should bother!). On another note - as I compile my kernel manually (have introduced some 'enhancements' of my own) I also compile and build xtables addons from source. It turns out that, for some unknown reason, ipportiphash and ipportnethash (supporting ip-port-ip and ip-port-net sets) is NOT built in, though the source is compiled and .ko files are produced. When I try to use these two maps (needed to go further with the testing) I get an error saying these two maps are not supported. Bizarre! ------------------------------------------------------------------------------ Start uncovering the many advantages of virtual appliances and start using them to simplify application deployment and accelerate your shift to cloud computing. http://p.sf.net/sfu/novell-sfdev2dev _______________________________________________ Shorewall-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-devel
