Using multiple ipsets in a single rule.

Using multiple ipsets in a single rule.

[Nikolai Lusan]

[-- Attachment #1: Type: text/plain, Size: 392 bytes --]

Hi,

After receiving advice that multiple set matching was supported I have
written a firewall that uses multiple set matches in a single iptables
rule only to receive the error message "--match-set can on be used
once". Is there support for matching against more than one set? Or is it
possible that this can be done in a future release?


-- 
Nikolai Lusan <nikolai@lusan.id.au>

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 836 bytes --]

Re: Using multiple ipsets in a single rule.

[Andreas Herz]

On 02/08/12 at 13:50, Nikolai Lusan wrote:
> After receiving advice that multiple set matching was supported I have
> written a firewall that uses multiple set matches in a single iptables
> rule only to receive the error message "--match-set can on be used
> once". Is there support for matching against more than one set? Or is it
> possible that this can be done in a future release?

Can you give an example?
If i'm right, this is not possible yet but as i'm also patching ipset
for my needs i would say that it could be done in a future release.

-- 
Andreas Herz

Re: Using multiple ipsets in a single rule.

[Jozsef Kadlecsik]

On Thu, 2 Aug 2012, Nikolai Lusan wrote:

> After receiving advice that multiple set matching was supported I have
> written a firewall that uses multiple set matches in a single iptables
> rule only to receive the error message "--match-set can on be used
> once". Is there support for matching against more than one set? Or is it
> possible that this can be done in a future release?

Which is the iptables version you use? The parser has changed several 
times since the multiple same match support had been added, so the feature 
might get lost.

Best regards,
Jozsef
-
E-mail  : kadlec@blackhole.kfki.hu, kadlecsik.jozsef@wigner.mta.hu
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : Wigner Research Centre for Physics, Hungarian Academy of Sciences
          H-1525 Budapest 114, POB. 49, Hungary

Re: Using multiple ipsets in a single rule.

[Jozsef Kadlecsik]

On Thu, 2 Aug 2012, Jozsef Kadlecsik wrote:

> On Thu, 2 Aug 2012, Nikolai Lusan wrote:
> 
> > After receiving advice that multiple set matching was supported I have
> > written a firewall that uses multiple set matches in a single iptables
> > rule only to receive the error message "--match-set can on be used
> > once". Is there support for matching against more than one set? Or is it
> > possible that this can be done in a future release?
> 
> Which is the iptables version you use? The parser has changed several 
> times since the multiple same match support had been added, so the feature 
> might get lost.

No, you must use wrong syntax. Matching against multiple sets is supported 
via multiple matches, i.e.

iptables ... -m set --match-set foo src,dst -m set --match-set bar src ...

Best regards,
Jozsef
-
E-mail  : kadlec@blackhole.kfki.hu, kadlecsik.jozsef@wigner.mta.hu
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : Wigner Research Centre for Physics, Hungarian Academy of Sciences
          H-1525 Budapest 114, POB. 49, Hungary