On 5/9/11 7:01 AM, Mr Dash Four wrote: > >> But have your favorite IP reference book handy >> before you try... >> > I've just made another observation: ip range (like 10.1.1.0-10.1.1.255 > or even 10.1.1.1,10.1.1.2) is rejected by shorewall, but specifying > 10.1.1.0/24 is, apparently, OK (I haven't tested whether that would > actually run though)? > > If that is the case it would complicate things significantly when I > start designing my "compile" script for ipset replacement as I would > have to create a separate rule (i.e. a line) for each ip address I > encounter in my ipset - bl**dy hell! OK, I may get away with it if I > could shove all the ip members into a cidr address, but that is one hell > of a workaround! Ah, well...
u32 filters work by mask and compare on the contents of the protocol headers. Not possible to implement a range test directly using that technique. But you might look at the shorewall 'iprange' command. It accepts a range as an argument and reduces that range to a list of CIDR addresses. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ WhatsUp Gold - Download Free Network Management Software The most intuitive, comprehensive, and cost-effective network management toolset available today. Delivers lowest initial acquisition cost and overall TCO of any competing solution. http://p.sf.net/sfu/whatsupgold-sd
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
