On 05/18/2018 06:26 PM, ObNox wrote: > On 17/05/2018 17:32, Tom Eastep wrote: > >>> net { interface=${IF_NET} \ >>> options="nets=(!${LAN_NET),nosmurfs,rpfilter,dhcp,dbl=src-dst" } >>> >>> Removing the "dbl=src-dst" part (introduced in 5.0.10) prevents the >>> warnings from triggering. >> >> Thanks for the update -- I'll take a look. > > To stay on this topic : Given the fact that we now have > DYNAMIC_BLACKLIST and "options" field in "interfaces" to handle the > "src-dst" dynamic blacklisting, what would be the best/correct way to > use "src-dst" setting ? In DYNAMIC_BLACKLIST or "options" (in > "interfaces") or both? > > What are the pros/cons of each method? >
The default setting for all interfaces is determined by the setting in DYNAMIC_BLACKLIST. That default may be overridden on an individual interface using dbl= in the interface's OPTIONS. -Tom -- Tom Eastep \ Q: What do you get when you cross a mobster with Shoreline, \ an international standard? Washington, USA \ A: Someone who makes you an offer you can't http://shorewall.org \ understand \_______________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users