Re: ipset ipporthash - need -p tcp|udp?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue, 15 Mar 2011, Pandu Poluan wrote:

> On Tue, Mar 15, 2011 at 03:13, Jozsef Kadlecsik
> <kadlec@xxxxxxxxxxxxxxxxx> wrote:
> > On Tue, 15 Mar 2011, Pandu Poluan wrote:
> >
> >> A question's been bugging me since this evening:
> >>
> >> Do I need to specify -p tcp|udp if I want to match against an IP set
> >> of type ipporthash?
> >>
> >> Or, in other words, can I just write a rule like `iptables -A FORWARD
> >> -m set --match-set SetName dst,dst -j ACCEPT` ?
> >
> > The port stored together with the protocol, so you should not specify the
> > protocol in the iptables rules. Unless you want to match a subset of the
> > set, selected by the protocol.
> >
> > Best regards,
> > Jozsef
> > -
> 
> Ahh, thanks for the explanation!
> 
> So, the ipporthash implicitly will only be applied to port-using
> protocols, e.g., TCP and UDP.
>
> What about SCTP's port? Will ipporthash also match against SCTP's ports?

Any protocol can be stored in an ipporthash, but at the moment the 
"port" is interpreted for TCP, UDP, ICMP and ICMPv6 only.

SCTP support can be added fairly easily.

Best regards,
Jozsef
-
E-mail  : kadlec@xxxxxxxxxxxxxxxxx, kadlec@xxxxxxxxxxxx
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : KFKI Research Institute for Particle and Nuclear Physics
          H-1525 Budapest 114, POB. 49, Hungary
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html


[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux