On 4/22/13 4:54 PM, "Dash Four" <[email protected]> wrote:
> > >>> I have been wrecking my head to see whether "!" makes any sense in >>> nfacct objects used in ipsets (i.e. "(foobar)!" in your example above) >>> and can't think of any - the set match order is always the same >>> regardless of whether I use "!" or not. In your example above it >>>doesn't >>> make any difference whether I use "(foobar)" or "(foobar)!" - the end >>> result is exactly the same. >>> >> >> Of course. In a SOURCE or DEST list, ! (without a preceding '.') signals >> exclusion. So you have an empty exclusion list when you add '!'. I had >>no >> intention of supporting the '!' any other way in the SOURCE and DEST >> columns. >> >In other words, using "!" for nfacct objects within ipsets won't make >any sense (which is more or less what I pointed out above)? If so, this >is currently allowed (i.e. "NFACCT(all) - +dmz-net(foo)!" is allowed). And it was allowed before the nfacct chang (e.g., +dmz-net!). Again, the '!' signals that any hosts listed after '!' should be excluded. -Tom You do not need a parachute to skydive. You only need a parachute to skydive twice. ------------------------------------------------------------------------------ Precog is a next-generation analytics platform capable of advanced analytics on semi-structured data. The platform includes APIs for building apps and a phenomenal toolset for data science. Developers can use our toolset for easy data analysis & visualization. Get a free account! http://www2.precog.com/precogplatform/slashdotnewsletter _______________________________________________ Shorewall-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-devel
