On 12/05/2021 01:50, slow_speed@xxxxxxx wrote:
If a person creates an iptables or nftables rule, should multiple IP
addresses be separated by a comma or a space or both?
Per the iptables(8) manual, the syntax of the -s and -d options is shown
as follows, indicating that addresses may be separated only by a comma.
[!] -s, --source address[/mask][,...]
[!] -d, --destination address[/mask][,...]
However, it goes on to say that "multiple addresses can be specified,
but this will expand to multiple rules". In other words, you cannot
define a single rule that references an arbitrary set of addresses
without using an extension. If that's what you need, consider the ipset
extension.
On the other hand, nftables intrinsically supports both named and
anonymous sets and is not subject to this limitation. For example, the
following rule is a valid one and singular in nature.
ip daddr { 8.8.8.8, 8.8.4.4 } accept
The space that follows the comma there is not required.
--
Kerin Millar
