> The ipsets that back dynamic *zones* are always saved.
Hadn't gotten to dynamic zones yet. On the to-do list.
> If SAVE_IPSETS is set, then *all* ipsets are saved.
Yes
> The SAVE_IPSETS setting in shorewall-init must specify a pathname to
> the file where you want the sets saved.
I actually knew that, and mistyped anyway.
> Specific sets is doable too, but it is quite a bit of work.
(snip)
Hm. The devil's in the details of the in-SW implementation, then. I need to
re-think whether this belongs outside, in lib.private. My own, kludgy perl
scripts are fairly trivial -- but don't worry about effect across SW, of course.
> Turns out that it isn't that hard, but I'll require ipset 5 or later.
Ah. Fwiw, here,
ipset -v
ipset v6.23, protocol version: 6
Checking what a couple of distros shipped,
Opensuse Release 13.1 --> v6.21.1
Opensuse Release 13.1 --> v6.16.1
Debian Wheezy --> v6.12.1-1
Ubuntu 12LTS/Precise --> v6.11-2
I think ipset v5's a fairly safe bet
------------------------------------------------------------------------------
Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer
Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports
Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper
Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer
http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
