On Friday 2012-10-05 00:07, tlhackque wrote: > > The syntax -A FOO -s 001:c000::0/0f:f000:: (note the leading 1s in the > "netmask") seems to be accepted by iptables, and the rule appears with -L. Yes, that is officially supported. So all that's lacking is the mention in iptables.8. > Of course, it would be nice to have a chain type that didn't have sequential > evaluation semantics and just dispatched based on netmask and address... but > that's how things might be, not how they are... > > (Why ridiculous chain lengths, you ask? Country blocking. But no > philosophical discussions about why this is a bad idea/easy to subvert, > please.) To match on countries, you can preferably use xt_geoip (space efficient and reasonably time efficient), or construct something handmade with ipsets (time efficient but space is secondary). -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
