Is it possible to make a firewall rule that matches everything except what's in an IPset? In other words, I want my IPset to include exceptions to the firewall rule, rather than inclusions.
Yes. If you refer to the uci firewall it would be
option ipset '!setname [direction]'. If you refer to plain iptables, it would be
-m set ! --match-set setname direction
Thanks. I'm trying to write this in /etc/config/firewall, so not sure what the corresponding entry would be.
option ipset '!piholes'
might be working... or doing nothing at all. Hard to test it.
-m set ! --match-set setname in match mark or extra argument.