> Do you mean shorewall-tcrules rather than shorewall-accounting? If so, > that file does support ipsets; that's an oversight in the manpage. > Both, actually. Even though I only use the "accounting" and "tcfilters" files - without ipset as I thought there was no ipset support.
>> was that ipset is not supported. shorewall-accounting does not mention >> anything in any of the columns that ipset syntax is supported, >> shorewall-tcfilters states that ipset is definitely not supported >> (http://shorewall.net/traffic_shaping.htm - scroll down to the tcfilters >> section). >> > > Entries in the tcfilters file generate u32 filters which have no ipset > support (nor will ever, IMO). They use (offset,mask,value) tuples > applied to protocol headers and are not part of Netfilter at all. So > tcrules are the only mechanism available that supports ipsets. > I am no expert, but couldn't ipsets be included at least in the SOURCE/DEST columns of ip addresses/subnets and port ranges, possibly the protocol too as the new generation of ipset could have a tuple of either (sub)net, port and protocol used? That is what I would need ipset to be used for - I am quite happy for the rest to remain as it is. Wouldn't the use of tcrules force me to use simple traffic shaping instead? ------------------------------------------------------------------------------ WhatsUp Gold - Download Free Network Management Software The most intuitive, comprehensive, and cost-effective network management toolset available today. Delivers lowest initial acquisition cost and overall TCO of any competing solution. http://p.sf.net/sfu/whatsupgold-sd _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
