[iptables] Use ipset with conntrack module

[iptables] Use ipset with conntrack module

[Amiq Nahas]

Hi Guys,

Currently only a single ip-address can be specified with these options
in conntrack module:
--ctorigsrc address[/mask]
--ctorigdst address[/mask]
--ctreplsrc address[/mask]
--ctrepldst address[/mask]

I would like to add a new feature into iptables so that multiple
ip-addresses can be specified at once. I am thinking this can be done
using ipset.

Please share your thoughts on how this can be implemented.

Thanks
Amiq

Re: [iptables] Use ipset with conntrack module

[Florian Westphal]

Amiq Nahas <m992493@gmail.com> wrote:
> Hi Guys,
> 
> Currently only a single ip-address can be specified with these options
> in conntrack module:
> --ctorigsrc address[/mask]
> --ctorigdst address[/mask]
> --ctreplsrc address[/mask]
> --ctrepldst address[/mask]
> 
> I would like to add a new feature into iptables so that multiple
> ip-addresses can be specified at once. I am thinking this can be done
> using ipset.
> 
> Please share your thoughts on how this can be implemented.

This can be done with nftables.  I don't think its worth it to spend
time on this in iptables world.

You would also need to copy-paste reimplement the match  again if you want to
combine it with e.g. network interface.