> From: shorewall-users-admin@...
> [mailto:shorewall-users-admin@... Behalf Of Tom
> Lux wrote:
> > Hi all
> > I have a "vpn gateway" with CentOS 4: kernel 2.6.9, iptables 1.2.11,
> > shorewall 2.4.2.
> > The kernel is rebuilt with some patch-o-matic patches, some of
> which are the
> > ipsec policy ones.
> Since you already use patch-o-matic-ng, your best bet in the long
> run is to
> add the ipset patch to your kernel and use an ipset to define your dynamic
> zone. That way, you can just and and delete addresses from the ipsec. Once
> ipset functionality is available in standard kernels, the old Shorewall
> dynamic zone feature will be removed (It's complex, hard to maintain and
> full of interesting "features").
I'm going to try ipset, when I have the chance. In the past I had a problem
compiling iptables+ipset patch, but I hope I'll solve it.
> Please try the attached patch against
> /usr/share/shorewall/firewall and let
> me know if it corrects your problem.
It works! Thanks. Is this patch going to be included in the future releases?