From: "tian fang" <tianfang@gmail.com>
To: 'Jozsef Kadlecsik' <kadlec@blackhole.kfki.hu>
Cc: netfilter@vger.kernel.org
Subject: RE: Fwd: ipset and counters
Date: Tue, 7 May 2013 21:32:22 +0800 [thread overview]
Message-ID: <002c01ce4b27$5026a240$f073e6c0$@com> (raw)
In-Reply-To: <alpine.DEB.2.00.1305071409560.16401@blackhole.kfki.hu>
>
> I am using ubuntu 12.04 LTS.
I'll check this out: it should work without any extra effort.
> And I got an issue ,I am sorry if I am wrong because I am a quite newbie.
>
> I am confused of the "--match-set setname src,dst" . it seems only
> the one before the comma is functional. Please look at this .
>
> I added an IP into the ipset sec,and set the iptables FORWARD Chain as
> "dst, src" ,I guess this means dst OR src, but unfortunately ,my
> outgoing packages was dropped.
>
> If I set two separated lines ,it works.
If the dimension of the set is less than the direction parameters of the set
match/SET target, then that's ignored.
With "--match-set setname src,dst" you instruct ipset that if the named set
stores IP address and port number pairs, then get the source and destination
parameters from the packets, say 192.168.1.1 as source address, TCP port 80
as destination, form the element 192.168.1.1,tcp:80 and look it up in the
given set.
You can't store and lookup IP address pairs, if that's what you want.
Best regards,
Jozsef
Jozsef,
Thanks much for your kindness. Seems I have to set two separated rules
for my purpose.
And I have the last question ,what is the maximum number of the ipset bytes
counters ?
RGS
tian
next prev parent reply other threads:[~2013-05-07 13:32 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <51752B00.8090908@metu.edu.tr>
2013-04-22 12:46 ` Fwd: ipset and counters Husnu Demir
2013-04-22 13:57 ` Jozsef Kadlecsik
2013-04-22 14:03 ` Husnu Demir
2013-04-22 17:24 ` Jozsef Kadlecsik
2013-05-06 13:14 ` tian fang
2013-05-06 13:40 ` Jozsef Kadlecsik
2013-05-06 14:03 ` tian fang
2013-05-06 14:46 ` tian fang
2013-05-06 18:28 ` Jozsef Kadlecsik
2013-05-06 19:59 ` hdemir
2013-05-07 12:05 ` tian fang
2013-05-07 12:19 ` Jozsef Kadlecsik
2013-05-07 13:32 ` tian fang [this message]
2013-05-07 13:40 ` Jozsef Kadlecsik
2013-04-22 18:06 hdemir
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='002c01ce4b27$5026a240$f073e6c0$@com' \
--to=tianfang@gmail.com \
--cc=kadlec@blackhole.kfki.hu \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.