I am having trouble getting a  DNAT to work like so:

in rules:
DNAT    net:+cust_eth2          colo:PPP.PPP.P.PPP:22   tcp     2222    -       XXX.XXX.XX.XX

snipped config files:

net     ipv4
cust:net        ipv4

net     eth2                    detect

cust    eth2:+cust_eth2

# ipset -L
Name: cust_eth2
Type: iphash
References: 9
Header: hashsize: 1024 probes: 8 resize: 50

When I connect from the the ip .87.173 as listed in the ipset, it doesn't work as per this log message:
 Shorewall:cust2fw:REJECT:IN=eth2 OUT= MAC=0000000000 SRC=XXX.XX.87.173 DST=XXX.XXX.XXX.XX LEN=48 TOS=0x00 PREC=0x00 TTL=120 ID=5116 DF PROTO=TCP SPT=52521 DPT=2222 WINDOW=8192 RES=0x00 SYN URGP=0

I also tried in hosts:
cust   eth2:dynamic

Weird thing is, if I remove the ipset restriction on the DNAT, it still blocks me, until I remove my ip from the ipset.

Any pointers? have I missed something obvious. I know the logmsg says cust2fw, but I assume thats because the DNAT is failing to add and accompanying ACCEPT rule for the ipset. No idea why though.

thanks in advance!