> Yes, Indeed, this can be tricky.... > > Alternatively, for this kind of setup with rules with group rules with ip, > maybe can we implemented ipset ?
never used that so far. > This allow to create group/alias of ips or ports, and it's faster (hashtable) > ipset > -N groupip iphash --probes 8 ipset -A groupip 10.0.0.1 ipset -A groupip > 10.0.0.2 ipset -A groupip 10.0.0.3 > > iptables -A tapchain -dport 80 -m set --set groupip src -j ACCEPT iptables -A > tapchain -dport 22 -m set --set groupip src -j ACCEPT > > It's faster, So you want to create one ipset for each rule? Or simply allow users to define groups of address, like: ----1000.fw--- [IPSET:groupip] 10.0.0.1 # first server IP 10.0.0.2 # second server IP 10.0.0.3 # third server IP 00:15:17:f8:c3:e5 # a MAC address? what about ports? ... [IN] ACCEPT $groupip - tcp 22 ---------- _______________________________________________ pve-devel mailing list pve-devel@pve.proxmox.com http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
