Am 20.05.22 um 05:49 schrieb Andrew Clark: > […] to route all > traffic in the TOR network, but I have a bunch of addresses which > should be passed directly, without using TOR. > > This is valid rule: iifname $int_ifs ip daddr @rkn meta l4proto tcp > redirect to :9051 > But this one is not: iifname $int_ifs ip daddr != { @akamai, > @stormwall } meta l4proto tcp redirect to :9051 > > […] Would it be sufficient to have only one list and work with the default package handling? For example a single whitelist causes direct package routing without Tor. The default rule forwards to the Tor network. The other way around a blacklist would force packages through Tor while the rest via default rule goes through!? Out already pointed out that one rule is the other's negation. Is there a third route? Or even more?