>> I have been wrecking my head to see whether "!" makes any sense in >> nfacct objects used in ipsets (i.e. "(foobar)!" in your example above) >> and can't think of any - the set match order is always the same >> regardless of whether I use "!" or not. In your example above it doesn't >> make any difference whether I use "(foobar)" or "(foobar)!" - the end >> result is exactly the same. >> > > Of course. In a SOURCE or DEST list, ! (without a preceding '.') signals > exclusion. So you have an empty exclusion list when you add '!'. I had no > intention of supporting the '!' any other way in the SOURCE and DEST > columns. > In other words, using "!" for nfacct objects within ipsets won't make any sense (which is more or less what I pointed out above)? If so, this is currently allowed (i.e. "NFACCT(all) - +dmz-net(foo)!" is allowed).
------------------------------------------------------------------------------ Precog is a next-generation analytics platform capable of advanced analytics on semi-structured data. The platform includes APIs for building apps and a phenomenal toolset for data science. Developers can use our toolset for easy data analysis & visualization. Get a free account! http://www2.precog.com/precogplatform/slashdotnewsletter _______________________________________________ Shorewall-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-devel
