Lars, : is it possible to make rules or routes with negated ip addresses like : that: You can simulate this with the following technique: # ip rule add table xyz # ip route add $ALLOWED_DESTINATION table xyz # ip route add throw default Strictly speaking, this might require a bit more gyration to accomplish your desired syntax, while still allowing you to reach your goal. The "throw" route type allows you to create sets of tables which can be used to "negate". http://linux-ip.net/html/routing-rpdb.html http://linux-ip.net/html/routing-tables.html#routing-table-entries : ip rule add from ! 192.168.0.0/16 table xyz The closest suggestion I can make to your desired syntax would be to use two routing tables. # ip rule add from 192.168.0.0/16 table notxyz # ip rule add blackhole from 192.168.0.0/16 # ip rule add table xyz The first two rules would take care of all packets bound from 192.168.0.0/16, and the last rule would effectively handle any packets which were from ! 192.168.0.0/16. These would need to be higher priority (lower number) in the RPDB in order for this to function properly. : Or is this planned for the future? I have no idea. I'd bet the answer is "no", but you could probably get it straight from the linux-net horse's mouth if you asked. -Martin -- Martin A. Brown --- SecurePipe, Inc. --- mabrown@xxxxxxxxxxxxxx
