From mboxrd@z Thu Jan 1 00:00:00 1970 From: Michael Ludvig Subject: Re: ipset hash:ip,port not matching Date: Tue, 25 Jun 2013 21:05:59 +1200 Message-ID: <51C95D77.9060405@logix.net.nz> References: <51C9371E.8020305@logix.net.nz> Mime-Version: 1.0 Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: Sender: netfilter-owner@vger.kernel.org List-ID: Content-Type: text/plain; charset="us-ascii" To: Jozsef Kadlecsik Cc: netfilter@vger.kernel.org On 25/06/13 19:40, Jozsef Kadlecsik wrote: > On Tue, 25 Jun 2013, Michael Ludvig wrote: > >> ~ # iptables -I INPUT -m set --match-set test-ipport dst -j LOG >> --log-prefix "IPSET(test-ipport,dst): " >> ~ # iptables -I INPUT -m set --match-set test-ipport src -j LOG >> --log-prefix "IPSET(test-ipport,src): " > In the rules above you specified a single direction flag for a two > dimensional set, thus the matching returned "false". If in the first rule > the port is the destination, then it should be: > > iptables -I INPUT -m set --match-set test-ipport dst,dst -j LOG ... Thanks! I didn't know I'm supposed to specify the direction for each dimension of the set. That actually makes it quite flexible. Is it possible to make iptables fail when there are not enough src's and dst's in the command? To let users know there's something wrong. Cheers Michael