I do not think one can. One can use a subnet,e.g., -s 10.1.1.16/28. If the addresses do not fall into a single subnet, one can use a range with the iprange patch in patch-o-matic. Failing that, there is a handy utility at http://subnetcreator.sourceforge.net which can convert an iprange into a series of subnets so that one can make a series of subnet rules for a range, e.g, -s 10.1.1.10/31 -j ACCEPT, -s 10.1.1.11/30 -j ACCEPT, -s 10.1.1.12/30 -j ACCEPT, -s 10.1.1.16/30 and 10.1.1.20/32 for the range 10.1.1.10-20. We use it extensively to create NETMAP rules to resolve IP network address conflicts in the ISCS network security project (http://iscs.sourceforge.net). Other than that, I think you're stuck :-)
Another option is to use the ippool match.
Rodrigo Severo
