| Main Archive Page > Month Archives > shorewall-users archives |
Re: [Shorewall-users] ipsets in dest column ( NO HTML )
From: Tom Eastep <teastep_at_nospam>Date: Thu Apr 28 2011 - 16:42:19 GMT
To: shorewall-users@lists.sourceforge.net
On 04/28/2011 09:23 AM, Mr Dash Four wrote:
>> Entries in the tcfilters file generate u32 filters which have no ipset
>> support (nor will ever, IMO). They use (offset,mask,value) tuples
>> applied to protocol headers and are not part of Netfilter at all. So
>> tcrules are the only mechanism available that supports ipsets.
>>
> I am no expert, but couldn't ipsets be included at least in the
> SOURCE/DEST columns of ip addresses/subnets and port ranges, possibly
> the protocol too as the new generation of ipset could have a tuple of
> either (sub)net, port and protocol used?
u32 filters don't use iptables; they use ip.
> That is what I would need ipset
> to be used for - I am quite happy for the rest to remain as it is.
>
> Wouldn't the use of tcrules force me to use simple traffic shaping instead?
No. It is 'tcpri' that is associated only with simple TC. But tcrules
are also available in that case as well.
-Tom
--
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
------------------------------------------------------------------------------
WhatsUp Gold - Download Free Network Management Software
The most intuitive, comprehensive, and cost-effective network
management toolset available today. Delivers lowest initial
acquisition cost and overall TCO of any competing solution.
http://p.sf.net/sfu/whatsupgold-sd
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users