On 7/2/10 8:39 PM, Tom Eastep wrote: > On 7/2/10 7:09 PM, Oliver Schmidt wrote: >> Hi Tom, >> >>> No. Netfilter doesn't support that so Shorewall can't support it either. >>> >> As far as I can see, the only problem is the ctorigdst matching in the >> ACCEPT rule, which of course does not support ipsets. >> >> Putting the redirect rule in the nat-table with the set-matching active >> is working - perhaps it would be possible to mark those packets that >> gonna be redirected and then filter them by that mark in the appropriate >> INPUT/FORWARD chains? > > Sorry -- I'm not putting those kinds of hacks into Shorewall.
I should point out, however, that an ipsec *can currently* be used in the ORIGINAL DEST column of a DNAT- or REDIRECT- rule. Coupled with a suitable ACCEPT rule, that should accomplish what you want. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ This SF.net email is sponsored by Sprint What will you do first with EVO, the first 4G phone? Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
