Vladimir Khailenko <vkhailenko@xxxxxxxxx> wrote: > Ouch... I thought this was just something undocumented (because with ipset + iptables it works perfectly :) > > I have doubts that this solution will be included in Debian Buster. Probably after the final patch they could ship a patched version (currently 0.9.0)... > > Thank you Florian for the fast reply. The problem with ... ip protocol . tcp dport @xxxx ... is that the 'tcp dport' pulls in an implicit dependency on TCP, so set elements that have a protocol != tcp will never match.
