Hello guys! I have the following setup: Linux router acting as a gateway for several subnets in the LAN. The subnets are: 127.17.0.0/16 (will go out via NAT) 195.229.x.x/24 193.289.y.y/28 213.189.z.z/26 etc. There are about 20 subnets including the private Class B subnet. I want to mark the packets that will go on the Internet, and leave out the packets that move from one subnet to the other. If I am to use something like: -s 172.17.0.0/16 -d !195.229.x.x/24 -s 172.17.0.0/16 -d !193.289.y.y/28 etc... I will have around 100 rules for upload and 100 for download Is there any possibility to use something like: -s 172.17.0.0/16 -d !195.229.x.x/24, !193.289.y.y/28, ... As in to use something like ipset Or, Match the packets by the next-hop address... -m nexthop --next-hop GW_ADDRESS Unfortunately ipset cannot be used for this scenario, and the old nexthop patch was not accepted in the pom tree. Does anybody have an old copy of the nexthop patch (https://lists.netfilter.org/pipermail/netfilter-devel/2003-November/013216. html), or any other idea... Thanks, Mihai _______________________________________________ LARTC mailing list LARTC@xxxxxxxxxxxxxxx http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc