Hi Thanks for the explanation on ipset status
>> Is it possible/sensible/feasible to have shorewall figure out the 'arity >> of the ipset? > > With ipsets still under such rapid development, I'm reluctant to add any > code that attempts to understand set types. :-) What, an update every 2 weeks or so! Come on, shorewall is matching that right now! (and thanks for such rapid development!) >> Not tested this yet, but is it a more descriptive setup to do something >> like defining someipset:loc in zones and "somealias br0:+someipset[2]" >> in hosts? That way I *think* I can use "somealias" everywhere and avoid >> needing to remember the "arity" in various rules? > > I don't believe that a bitmap:ip,mac ipset works in the hosts file. Such > an ipset can only be used to match the SOURCE address while an ipset > listed in the hosts file must be able to match both SOURCE and DEST > addresses. Hmm, I see your point. Mac is not necessarily known for the dest, so it's not possible to match. An incomplete implementation would be possible to match source on [IP,Mac] and dest on [IP], but that's not supported by ipset... OK, will use explicit ipsets everywhere, plus perhaps some use of params to tidy things up Thanks! Ed W ------------------------------------------------------------------------------ Magic Quadrant for Content-Aware Data Loss Prevention Research study explores the data loss prevention market. Includes in-depth analysis on the changes within the DLP market, and the criteria used to evaluate the strengths and weaknesses of these DLP solutions. http://www.accelacomm.com/jaw/sfnl/114/51385063/ _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
