Multiple Address specification or match

Temp02 temp02 at
Thu Sep 30 10:59:43 CEST 2004

thanks for your feedback but neither of these solutions are particularly

The first (using more than one rule), requires the use of a lot more rules
than are really necessary, as an example, lets say that I wanted to prevent
access a range of subnets but allow everything else. Ideally I should be
able to:

iptables -A PREROUTING -d ! -d ! -d ! -m whatever -j ACCEPT

instead I would need three explicit drop rules and then an allow everything
else rule. (assuming a default drop policy).

The problem with the IPset/pool options are that they match only on a range
of addresses, not specifically by source or destination, also they seem to
require the use of another userspace program to actually build the sets
which in itself complicates the process.

Is it hard to extend the source and destination match functions to accept
multiple arguments?

----- Original Message -----
From: "Henrik Nordstrom" <hno at>
To: "Temp02" <temp02 at>
Cc: <netfilter-devel at>; "Swapnil Nagle"
<swapsn at>
Sent: Thursday, September 30, 2004 6:34 PM
Subject: Re: Multiple Address specification or match

> On Thu, 30 Sep 2004, Temp02 wrote:
> > No obviously a single source can't be both addresses, but the intent is
> > allow a single rule to be used to match sources from both source ranges.
> There is two ways for doing this
> a) Using two rules, one per IP address.
> b) Using an ippool/ipset storing the IP addresses.
> Regards
> Henrik

More information about the netfilter-devel mailing list