Iptables -A maybeAllow81_212 -m set -match-set denyiplist_81_212 src -j DROP Something like: iptables -N maybeAllow81_212 And if you use a hash of type bitmap, 65536 addresses is the maximum size of the map.īut what are you using the IPset for? If you are simply matching against the whole /14 segment, a hash-based IPset will be much less efficient than a simple network address & mask-based match.īut if you are just setting up an initial set and planning to later selectively knock out specific IP addresses from it, then it would make sense to use an IPset.Įven so, if the number of knocked-out IPs is expected to be relatively small, it might be sensible to invert the sense of whatever you're doing and use a mask-based match as the general rule and the IPset-based match as exceptions to it. and the default value for maxelem is 65536.
If you are using an IPset of type hash, it has a maximal number of elements it can store, settable by the maxelem parameter when creating the IPset. I think the problem is 81.212.0.0/14 have bigger IP count than 65535, maybe idk.
0 kommentar(er)
