I am not able to get *any* matches when I have the following combinations:
1. ipporthash: x.x.x.x,y [src,dst] or [dst,src] (i.e. source IP address
and destination port and vice versa);
2. ipportiphash: x.x.x.x,y,z.z.z.z [src,dst,dst] or [dst,src,src] (i.e.
source IP address, destination port and destination IP address and vice
versa);
3. ipportnethash x.x.x.x,y,z.z.z.z/c [src,dst,dst] or [dst,src,src]
(i.e. source IP address, destination port and destination subnet and
vice versa);
When I split up the above sets like:
For case 1: match-set single-set src match-set single-port dst (and vice
versa with src and dst reversed) - all in one line - i.e. creating two
separate sets containing the appropriate src IP address and and dst
ports respectively;
For case 2: match-set single-set src match-set double-set dst,dst (and
vice versa with src and dst reversed) - all in one line - i.e. creating
two separate sets containing the appropriate src IP address and another
set containing the destination IP addresses *and* ports respectively;
For case 3: match-set single-set src match-set double-net-set dst,dst
(and vice versa with src and dst reversed) - all in one line - i.e.
creating two separate sets containing the appropriate src IP address and
another set containing the destination IP subnet addresses *and* ports
respectively;
I was able to get a match! This leads me to believe that either xtables
has a bug and can't handle mixed src,dst designations in the same set,
or, I am doing something wrong. Which is it?
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
