Steven Jan Springl wrote:
TomI have been testing Shorewall-perl with ipsets and have come across a couple of problems. The ipsets documentation states that negative matches are allowed, however, Shorewall only allows this in the hosts file.Message: ERROR: Invalid ipset name (!+sjsset) ....... is produced If any of the following negative matches are specified: accounting file sjsx - !+sjsset[2] !+sjsset2[dst,dst] udp 53 blacklist file !+sjsset - maclist ACCEPT br0 11:22:33:44:55:66 !+sjsset rules ACCEPT lan:!+sjsset[2] brd:!+sjsset2[5] tcp 22 tcrules 32:CT !+sjsset[1] !+sjsset2[4] tcp tos !+sjsset[2] !+sjsset2[3] all - - 8 tunnels ipsec:noah wan !+sjsset[4] lan,wan
All of the above should be fixed in revision 8567.
###############################
If the following hosts file configuration is specified:
loo br0:+sjsset[2] maclist
produces the following message:
ERROR: Invalid ipset name (+sjsset[2]) ......
Note: an ipset of the above format is allowed in all other config files.
But there is no requirement for it in that context that I can see. And it opens the door to totally broken entries like:
loo br0:+tmeset[src,dst,src]
-Tom
--
Tom Eastep \ Nothing is foolproof to a sufficiently talented fool
Shoreline, \ http://shorewall.net
Washington USA \ [EMAIL PROTECTED]
PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------- Check out the new SourceForge.net Marketplace. It's the best place to buy or sell services for just about anything Open Source. http://sourceforge.net/services/buy/index.php
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
