I think this is yet another dumb question, but...
I (mis)read the ipset documentation to be implying that +[ipset1,ipset2]
is an OR relationship and will match if the user is in either of the two
ipsets?
Shorewall in fact generates the first rule below, which as near as I can
see is an AND relationship:
Chain tcpre (1 references)
pkts bytes target prot opt in out source
destination
...
0 0 MARK all -- * * 0.0.0.0/0
0.0.0.0/0 mark match ! 0x0/0xffff match-set cp1 src,src
match-set cp2 src,src MARK or 0x800
2 149 MARK all -- * * 0.0.0.0/0
0.0.0.0/0 mark match ! 0x0/0xffff match-set cp1 src,src MARK
or 0x100
Empirically we can see from above that cp1 matches, but cp1 AND cp2
(empty) don't match any packets
It's entirely possible that this is intended - if so, do you think the
docs could clarify this here:
http://shorewall.net/manpages/shorewall-ipsets.html
http://shorewall.net/manpages/shorewall-exclusion.html
On reflection the exclusion page highlights that it's an AND
relationship, but only if you understand contraposition logic..
OK, perhaps just the ipset page could be made explicit (please?)
Thanks!
Ed W
------------------------------------------------------------------------------
Magic Quadrant for Content-Aware Data Loss Prevention
Research study explores the data loss prevention market. Includes in-depth
analysis on the changes within the DLP market, and the criteria used to
evaluate the strengths and weaknesses of these DLP solutions.
http://www.accelacomm.com/jaw/sfnl/114/51385063/
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
