On 11/21/12 6:19 PM, "Mr Dash Four" wrote:
>
>> I just recalled that 'all' can't be qualified with an ipset name (or
>> anything else for that matter).
>>
>> Patch attached.
>>
>> With this patch:
>>
>> - 'all' places the rule in PREROUTING and in OUTPUT
>> - 'all-' places the rule in PREROUTI
>> 2. If possible, could you include a SWITCH column (similar to what
>> you already have in "rules") so that this particular rule is switched
>> on/off if/when desired.
>>
>
> Will be in Beta 2.
OK, will have a look then.
-
> I just recalled that 'all' can't be qualified with an ipset name (or
> anything else for that matter).
>
> Patch attached.
>
> With this patch:
>
> - 'all' places the rule in PREROUTING and in OUTPUT
> - 'all-' places the rule in PREROUTING
> - '$FW' places the rule in OUTPUT
> - All of the a
> A careful reading of the manpage reveals that a zone is required in the
> SOURCE column (and 'all' is appropriate for your use) while a zone is
> disallowed in the DESTINATION column (remember that the packet hasn't
> been routed yet so the destination zone is as yet unknown).
>
> Note: When
> These will have to wait for Beta 2 -- at that point NFLOG() should work
> as you expect and you can specify 'DROP:C_MACRO(info)' if you want to
> make simple 'LOG' rules log at the 'info' level.
Noted.
> Rules in the ALL section come after the blacklist and the
> interface-option checks.
What I
On 11/20/2012 08:18 PM, Mr Dash Four wrote:
>
> 2. If possible, could you include a SWITCH column (similar to what
> you already have in "rules") so that this particular rule is switched
> on/off if/when desired.
>
Will be in Beta 2.
-Tom
--
Tom Eastep\ When I die, I want to go like my
On 11/21/2012 11:09 AM, Tom Eastep wrote:
I am not sure what I am supposed to put in the SOURCE/DESTINATION
columns as a "zone" when in reality I don't care which "zone" this is in
(and I don't think "all" is appropriate). For example, if I want to
emulate "-t raw -I PREROUTING 1 -m set --match
On 11/20/2012 08:18 PM, Mr Dash Four wrote:
>> Patch attached. The new suffixes are:
>>
>> :U (UNTRACKED)
>> :NU (NEW,UNTRACKED)
>> :NIU (NEW,INVALID,UNTRACKED)
> The patch does its job to perfection.
>
Good
>
>> Patch attached. Adds a DROP action to the format-2 conntrack file.
> Th
On 11/20/2012 08:18 PM, Mr Dash Four wrote:
That's an error in the manpage -- to use NFLOG, specify
"LOG:NFLOG(1,0,1)".
I decided to change the code rather than the manpage -- patch
attached.
It doesn't seem to work: I am getting "ERROR: Invalid NFLOG
action(NFLOG(1,0,1):none)"
The statement
Tom
The attached config. generates the following iptables rule:
-A eth0_fwd -m conntrack --ctstate NEW,INVALID,UNTRACKED -j ~excl5
which produces the following error message:
iptables-restore v1.4.15: Couldn't load target `~excl5':No such file or
directory
Note, if OPTIMIZE=0 is specified, th
10 matches
Mail list logo
