Some time ago, I asked for help about this, and the answer was to use both.
Now, if I run fw4 reload I get an error: ignoring invalid ipset entry.
I troubleshoot by looking at differences with others, and changing some around; and I concluded that, yes, it really is setting src_ip and dest_ip together.
The same config used to work.
It's the same with src_net and dest_net.
I found out accidentally because I reconnected a device that wouldn't connect, and it started with getting issues I think because the zone name started with a number; which also used to work, but no longer does. I changed the name and assigned an interface to it, and in the process of diagnostics, I saw all of the other errors via fw4 reload.
Via webgui, I changed the aforementioned ipset rule Packet Field Match from just one match, saw that the error went away, and put the dest/src match back, and sure enough, it popped up again. This feels unintended. Please correct me if I'm wrong.
