Multiple Address specification or match

Temp02 temp02 at bluereef.com.au
Thu Sep 30 10:59:43 CEST 2004


thanks for your feedback but neither of these solutions are particularly
elegant.

The first (using more than one rule), requires the use of a lot more rules
than are really necessary, as an example, lets say that I wanted to prevent
access a range of subnets but allow everything else. Ideally I should be
able to:

iptables -A PREROUTING -d ! 10.0.0.0/8 -d ! 192.168.1.0/24 -d !
172.16.0.0/16 -m whatever -j ACCEPT

instead I would need three explicit drop rules and then an allow everything
else rule. (assuming a default drop policy).

The problem with the IPset/pool options are that they match only on a range
of addresses, not specifically by source or destination, also they seem to
require the use of another userspace program to actually build the sets
which in itself complicates the process.

Is it hard to extend the source and destination match functions to accept
multiple arguments?

----- Original Message -----
From: "Henrik Nordstrom" <hno at marasystems.com>
To: "Temp02" <temp02 at bluereef.com.au>
Cc: <netfilter-devel at lists.netfilter.org>; "Swapnil Nagle"
<swapsn at rediffmail.com>
Sent: Thursday, September 30, 2004 6:34 PM
Subject: Re: Multiple Address specification or match


> On Thu, 30 Sep 2004, Temp02 wrote:
>
> > No obviously a single source can't be both addresses, but the intent is
to
> > allow a single rule to be used to match sources from both source ranges.
>
> There is two ways for doing this
>
> a) Using two rules, one per IP address.
>
> b) Using an ippool/ipset storing the IP addresses.
>
> Regards
> Henrik
>




More information about the netfilter-devel mailing list