Hi, If I use multiple match-set clauses am I right in assuming that
these form an "AND" relationship, ie all must be satisfied for the rule
to match?
eg my mangle chain (generated by shorewall) looks something like:
Chain tcpre (1 references)
pkts bytes target prot opt in out source
destination
...
0 0 MARK all -- * * 0.0.0.0/0
0.0.0.0/0 mark match ! 0x0/0xffff match-set cp1 src,src
match-set cp2 src,src MARK or 0x800
2 149 MARK all -- * * 0.0.0.0/0
0.0.0.0/0 mark match ! 0x0/0xffff match-set cp1 src,src MARK
or 0x100
It's clear that the match for only cp1 fires, but the first rule which
matches both cp1/cp2 is not firing.
This seems to be as expected for iptables rules - I'm just debugging
shorewall which has a syntax of "+[ipset1,ipset2]" which is supposed to
generate a logical OR, but generates the above rule (first line). Can
someone please confirm my understanding is correct?
Thanks
Ed W
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
