Sent from my iPad
On Apr 27, 2011, at 3:39 PM, Mr Dash Four <[email protected]> wrote: > >> I can read fine. But the OPs assertion that this worked in Shorewall 3 is >> nonsense. The syntax shown in his rule wasn't introduced until Shorewall >> 4.4.14. >> > In other words, nothing to do with ipsets "restrictions" then? > As you well know, inset matches can match 'src', 'dst' or some combination. There is no 'origdst' flag. So the ipset implementation does not support (and has never supported) matching on the original destination. Original destination is matched using the conn track match which doesn't accept ipsets. So Shorewall 3 did not provide support for such a match and shorewall 4 doesn't either. You were the one that requested the new syntax ([...]) that was implemented in Shorewall 4.4.14. So while using ipsets in the ORIGINAL DEST column would be cool, the only way to implement it currently would be with some packet marking hack. -Tom ------------------------------------------------------------------------------ WhatsUp Gold - Download Free Network Management Software The most intuitive, comprehensive, and cost-effective network management toolset available today. Delivers lowest initial acquisition cost and overall TCO of any competing solution. http://p.sf.net/sfu/whatsupgold-sd _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
