I want to use 2 Ipsets together in 1 firewall rule to - block IPsets (destination IP) from set of devices (MAC source IPset)
Luci calls it IPSets but it's NFTables Sets ?
What is IPSets in https://192.168.1.1/cgi-bin/luci/admin/network/dhcp > Ipsets
"List of IP sets to populate with the IPs of DNS lookup results of the FQDNs also specified here.
The netfilter components below are only regarded when running fw4."
Back in the days there was this tool called ipset and Luci used to same therm to reference it.
But with nftables, the ipset functionality was integrated and just called sets.
For legacy and other reasons ipset stocked as a name.
And yes you can use 2 sets in one rule, like match the source again one set and destination against another set...
How ?
Also what is https://192.168.1.1/cgi-bin/luci/admin/network/dhcp > Ipsets
Is it really to much asked that you do a web search on your own?
You cannot use two or more ipsets in a UCI firewall rule. You would need to create a custom include for that. nftables support using 2 sets in a rule, but firewall4 does not. You can test by manually inserting a rule with your set names.
nft insert rule inet fw4 forward_lan ether saddr @MyMACs ip daddr @MyIPs counter drop
The ipsets under DHCP are to specify DNS domains that dnsmasq-full will populate the IPs into the set for you. So you could have dnsmasq add any google.com query results to your Google ipset. But it does require dnsmasq-full instead of dnsmasq.
Anxiously awaiting your next terse question... 
Thanks for the correction. (I never used sets with UCI only directly with rules, but assumed that you could state a uci rule with like match src against one, and dst against an other; or even ipset/nfsets hash sets with multiple values, like src dst tuple.)
And how to integrate it with https://openwrt.org/docs/guide-user/firewall/filtering_traffic_at_ip_addresses_by_dns
There's no such thing.
This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.