I want to configure ipset hash:mac in fw3,I had some problems in the process,fw3 does not seem to support such a configuration,I can only configure as follows.
config ipset
option name IPSET_TEST
option match 'src_ip src_mac'
option storage bitmap
option iprange '192.168.8.0/24'
option enabled 1
list entry '192.168.8.153,08:57:00:e5:88:6b'
However, I don't want to bind IP, I want it to look like this:
config ipset
option name IPSET_TEST
option match 'src_mac'
option storage hash
option enabled 1
list entry '08:57:00:e5:88:6b'
config ipset
option name 'bogons'
option storage 'hash'
option match 'src_net'
list entry '0.0.0.0/8'
list entry '10.0.0.0/8'
list entry '100.64.0.0/10'
list entry '127.0.0.0/8'
list entry '169.254.0.0/16'
list entry '172.16.0.0/12'
list entry '192.0.0.0/24'
list entry '192.0.2.0/24'
list entry '192.168.0.0/16'
list entry '198.18.0.0/15'
list entry '198.51.100.0/24'
list entry '203.0.113.0/24'
list entry '224.0.0.0/4'
list entry '240.0.0.0/4'
config rule
option name 'bogons'
option src 'wan'
option family 'ipv4'
option proto 'all'
option ipset 'bogons'
option target 'DROP'
Thanks for your reply,The ipset and iptables commands can completely solve my problem, but I want to write them in the /etc/config/firewall, I can make sure my rules are loaded correctly after fw3 restart
Why not simply using a hotplug script in /etc/hotplug.d/firewall? I'm using it that way in banIP and therefore I'm not limited to fw3 supported iptables syntax.
I also tried to use hash:mac but found fw3 doesn’t support it even though it is supported by the underlying netfilter ipset. This is as of openwrt 21.02.0 so has been around for a while