Is it possible to create a single, or very few, FORWARDing rules that will only ACCEPT a packet if its src and dst ipset is the same? I have a handful of linux routers that will be carrying multiple different customers traffic and I have to ensure that each customer can only send traffic from their own networks to other networks/subnets they have been allocated. My current plan is to create an ipset for each customer and put each of there networks/subnets into their ipset and to simplify the FORWARDing rules, I'm hoping there is a simple way to only ACCEPT a packet if its src and dst are in both in the same ipset. Is this easily doable? I'm trying to avoid having to create exceptions to a default deny for every possible combination of each customers networks. I must admit, I've not used ipset in the past, so I'm not sure this is how it works. Also, is there an way to distribute changes to the ipsets (when a client gets added / deleted or when a new network gets allocated) to multiple machines? I can script something, I just don't want to reinvent the wheel if there is something already out there. -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
