IPset: Use IP both of either destination or source without specifying src_ or dest_

Note, I'm using the LuCI web GUI.

I thought that I could use IP addr for matching an IP alone without specifying destination or source, but if I don't specify it, according to the tables, it seems that it defaults as a source.

I figured that when adding rules, it was implied via setting of destination/source zones--this way, I could use names of ipsets in firewall rules for possibly changing IP addresses of host devices without having to go through multiple rules to do so.

I tried setting an ipset rule to match IP source and destination, but that didn't work for what I suspect to be because it would need to match both simultaneously.

How may I go about setting names to IP addresses and then using those names in rules?

May I ask what are you trying to accomplish with this?

Yes it is possible to specify the set in a direction agnostic manner. You can specify the direction when referencing the set in the rule, e.g. option ipset 'my_set_with_ip_and_port src,dest' would match the source IP and the destination port, regardless how the set itself was declared in uci.

The syntax is option ipset '{setname} [direction[,direction[,direction]]]' where the direction keywords will override the match direction (source or destination) of the first, second and third ipset data type respectively. The direction keyword may be one of dst, dest (alias for dst) or src.

1 Like

To use names for ipsets for firewall rules for changing IP addresses of host devices without having to go through multiple rules to do so.

For example:
ipset 'printer' = 192.168.1.67

Rules:
Allow ports #,#,#,#,#,# to 'printer'
Allow ping to 'printer'
Block all to 'printer'
Block all from 'printer'

This way, I can move the printer's IP such as on a network transition, and I just change the IP to the ipset

1 Like

Thank you for your answer.

I got it to work via SSH/CLI, but could you clarify, for posterity, if these options are available via the web GUI / LuCI? It doesn't appear to be available, but maybe I'm doing something wrong.

Ah, I see that I have to type the ipset name and the direction into the box instead of using its dropdown menu.

That settles that. Thank you for your help.

May I recommend that the ipset used/set be made apparent on the 'Traffic Rules' page?

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.