That worked fine. so one most important thing in this is -m set --match-set foo src,src OR -m set --match-set foo src,dst where src or dst after comma(,) is actually meaning mark. Normally it confuses as there is always like src ip, dst ipl src port, dst port; src iface, dst iface ...but there is nothing like src mark, dst mark Thanks for the help. Should we update man pages on this or am I dumb enough to ignore the obvious? On Wed, Aug 26, 2015 at 3:59 PM, Vytas Dauksa <vytas.dauksa@xxxxxxxxxxxxxx> wrote: > Hi, > > please take a look at my test script: > https://github.com/vytas-dauksa/ipset-mark-test-script/blob/master/test-ipset-nfmark.pl > that might help you. > > Though, take into account before running it that it starts fresh each > time, hence might remove other iptables/ipsets.. > > > On 26 August 2015 at 10:23, Akshat Kakkar <akshat.1984@xxxxxxxxx> wrote: >> I have tried using what I mentioned and I get error >> >> iptables -A FORWARD -m set --match-set foo src,mark -j ACEEPT >> >> iptables v1.4.21: You must spefify (the comma separated list of) 'src' or 'dst'. >> Try `iptables -h' or 'iptables --help' for more information. >> >> On Wed, Aug 26, 2015 at 2:39 PM, Akshat Kakkar <akshat.1984@xxxxxxxxx> wrote: >>> how to use hash:ip,mark in iptables ? >>> >>> I can create ipset, but how to match it in iptables? >>> >>> something like -m SET --match-set src,mark >>> >>> or something else altogether? > > > > -- > Vytas Dauksa > Developer > > smoothwall > vytas.dauksa@xxxxxxxxxxxxxx > www.smoothwall.com > > Head Office : 1 John Charles Way, Leeds, LS12 6QA, United Kingdom > Tech Office : Eagle Point, Little Park Farm Road, Fareham, PO15 5TD, > United Kingdom > US Office : 8008 Corporate Center Dr #410, Charlotte, NC 28226, United States > > Telephone: UK: +44 870-199-9500 US: +1 800-959-3760 > > > > Smoothwall Limited is registered in England, Company Number: 4298247 > and whose registered address is 1 John Charles Way, Leeds, LS12 6QA > United Kingdom. > This email and any attachments transmitted with it are confidential to > the intended recipient(s) and may not be communicated to any other > person or published by any means without the permission of Smoothwall > Ltd. Any opinions stated in this message are solely those of the > author. -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
