On Wed, 20 Sep 2006, Ming-Ching Tiew wrote: > >I have been reading ipset from http://ipset.netfilter.org/features.html > >quite a few times but still do not understand what does it mean > >by this :- > > > > iptables -A FORWARD -m set --set servers dst,dst -j ACCEPT > > > >My question is why the flag is dst,dst ? > > > >And similarly what is the significance if it is src,dst ? > >What if it is src,dst,dst and so on ? > > Gosh I think something sudden sparked my mind, I think I understand it now. > The number of flags ties to the bindings, ie this example it is ip->port, > then dst,dst would means check the destination ip, and destination port. > Had the flags be src,dst, then it is checking the source ip and destination port. Exactly. Also, if the set type itself store data pairs like in the case of ipporthash, you have to define what kind of info from the packet must be matched against the given set: (source or dest ip) and (source or dest) port. I.e if set 'servers' is of type ipporthash, you should use iptables -A FORWARD -m set --set servers dst,dst -j ACCEPT to match all of your servers (IP addresses) and their service ports, if the set is properly filled up. > I hope my understanding is correct. Perhaps the docs should explain it more > clearly. Yes, the docs are terse. Patches against the docs are (also) always welcomed. Best regards, Jozsef - E-mail : kadlec@xxxxxxxxxxxxxxxxx, kadlec@xxxxxxxxxxxxxxx PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt Address : KFKI Research Institute for Particle and Nuclear Physics H-1525 Budapest 114, POB. 49, Hungary
