On Tue, 25 Jun 2013, Michael Ludvig wrote: > On 25/06/13 19:40, Jozsef Kadlecsik wrote: > > On Tue, 25 Jun 2013, Michael Ludvig wrote: > > > >> ~ # iptables -I INPUT -m set --match-set test-ipport dst -j LOG > >> --log-prefix "IPSET(test-ipport,dst): " > >> ~ # iptables -I INPUT -m set --match-set test-ipport src -j LOG > >> --log-prefix "IPSET(test-ipport,src): " > > In the rules above you specified a single direction flag for a two > > dimensional set, thus the matching returned "false". If in the first rule > > the port is the destination, then it should be: > > > > iptables -I INPUT -m set --match-set test-ipport dst,dst -j LOG ... > > Thanks! I didn't know I'm supposed to specify the direction for each > dimension of the set. That actually makes it quite flexible. > > Is it possible to make iptables fail when there are not enough src's and > dst's in the command? To let users know there's something wrong. The set match and target check the existence of the set only, and don't verify the dimension of the set and the number of the direction flags. This is due to the list set type: in that case the direction flags are passed to the members, which may change runtime anytime. The match and target could verify the directions for other set types, though. It'd need a protocol change because the required information is not passed in either direction at checking time. Best regards, Jozsef - E-mail : kadlec@xxxxxxxxxxxxxxxxx, kadlecsik.jozsef@xxxxxxxxxxxxx PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt Address : Wigner Research Centre for Physics, Hungarian Academy of Sciences H-1525 Budapest 114, POB. 49, Hungary -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
