* ipset question - multiple match-set clauses
@ 2011-07-26 19:18 Ed W
2011-07-26 19:29 ` Ed W
0 siblings, 1 reply; 2+ messages in thread
From: Ed W @ 2011-07-26 19:18 UTC (permalink / raw)
To: Mail List - Netfilter
Hi, If I use multiple match-set clauses am I right in assuming that
these form an "AND" relationship, ie all must be satisfied for the rule
to match?
eg my mangle chain (generated by shorewall) looks something like:
Chain tcpre (1 references)
pkts bytes target prot opt in out source
destination
...
0 0 MARK all -- * * 0.0.0.0/0
0.0.0.0/0 mark match ! 0x0/0xffff match-set cp1 src,src
match-set cp2 src,src MARK or 0x800
2 149 MARK all -- * * 0.0.0.0/0
0.0.0.0/0 mark match ! 0x0/0xffff match-set cp1 src,src MARK
or 0x100
It's clear that the match for only cp1 fires, but the first rule which
matches both cp1/cp2 is not firing.
This seems to be as expected for iptables rules - I'm just debugging
shorewall which has a syntax of "+[ipset1,ipset2]" which is supposed to
generate a logical OR, but generates the above rule (first line). Can
someone please confirm my understanding is correct?
Thanks
Ed W
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: ipset question - multiple match-set clauses
2011-07-26 19:18 ipset question - multiple match-set clauses Ed W
@ 2011-07-26 19:29 ` Ed W
0 siblings, 0 replies; 2+ messages in thread
From: Ed W @ 2011-07-26 19:29 UTC (permalink / raw)
To: Mail List - Netfilter
On further reflection this is an extremely dim question - please
disregard...
Ed W
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2011-07-26 19:29 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2011-07-26 19:18 ipset question - multiple match-set clauses Ed W
2011-07-26 19:29 ` Ed W
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.