From mboxrd@z Thu Jan  1 00:00:00 1970
From: Ed W <lists@wildgooses.com>
Subject: ipset question - multiple match-set clauses
Date: Tue, 26 Jul 2011 20:18:29 +0100
Message-ID: <4E2F1305.7000409@wildgooses.com>
Mime-Version: 1.0
Content-Transfer-Encoding: 7bit
Return-path: <netfilter-owner@vger.kernel.org>
Sender: netfilter-owner@vger.kernel.org
List-ID: <netfilter.vger.kernel.org>
Content-Type: text/plain; charset="us-ascii"
To: Mail List - Netfilter <netfilter@vger.kernel.org>

Hi, If I use multiple match-set clauses am I right in assuming that
these form an "AND" relationship, ie all must be satisfied for the rule
to match?

eg my mangle chain (generated by shorewall) looks something like:

Chain tcpre (1 references)
 pkts bytes target     prot opt in     out     source              
destination         
...
    0     0 MARK       all  --  *      *       0.0.0.0/0           
0.0.0.0/0            mark match ! 0x0/0xffff match-set cp1 src,src
match-set cp2 src,src MARK or 0x800
    2   149 MARK       all  --  *      *       0.0.0.0/0           
0.0.0.0/0            mark match ! 0x0/0xffff match-set cp1 src,src MARK
or 0x100

It's clear that the match for only cp1 fires, but the first rule which
matches both cp1/cp2 is not firing.

This seems to be as expected for iptables rules - I'm just debugging
shorewall which has a syntax of "+[ipset1,ipset2]" which is supposed to
generate a logical OR, but generates the above rule (first line).  Can
someone please confirm my understanding is correct?

Thanks

Ed W