Hi Tom, > No. Netfilter doesn't support that so Shorewall can't support it either. > As far as I can see, the only problem is the ctorigdst matching in the ACCEPT rule, which of course does not support ipsets.
Putting the redirect rule in the nat-table with the set-matching active is working - perhaps it would be possible to mark those packets that gonna be redirected and then filter them by that mark in the appropriate INPUT/FORWARD chains? Thanks for the quick response, Oliver -- Netz ArGe Jülich e.V., Heinrich-Mußmann-Straße 18, 52428 Jülich Vorsitzende: Oliver Schmidt, Mirco Wollong Sitz des Vereins: Amtsgerichts Düren, VR 2184, Steuernummer: 213/5752/0747 Gemeinnütziger Verein nach §51 ff. AO http://www.netzags.de Email: Allgemein: [email protected] Usersupport: [email protected] Vorstand: [email protected] ------------------------------------------------------------------------------ This SF.net email is sponsored by Sprint What will you do first with EVO, the first 4G phone? Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
