On 25/06/13 19:40, Jozsef Kadlecsik wrote: > On Tue, 25 Jun 2013, Michael Ludvig wrote: > >> ~ # iptables -I INPUT -m set --match-set test-ipport dst -j LOG >> --log-prefix "IPSET(test-ipport,dst): " >> ~ # iptables -I INPUT -m set --match-set test-ipport src -j LOG >> --log-prefix "IPSET(test-ipport,src): " > In the rules above you specified a single direction flag for a two > dimensional set, thus the matching returned "false". If in the first rule > the port is the destination, then it should be: > > iptables -I INPUT -m set --match-set test-ipport dst,dst -j LOG ... Thanks! I didn't know I'm supposed to specify the direction for each dimension of the set. That actually makes it quite flexible. Is it possible to make iptables fail when there are not enough src's and dst's in the command? To let users know there's something wrong. Cheers Michael -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
