ipset How to add IP range from x to y The 2019 Stack Overflow Developer Survey Results Are Iniptables… blocking a range without flooding ipset set with IPsWebserver establishing new outgoing connections from port 443How can I let ipset entries “age”?blocking all but specific ips from specific services in CentOS 7how to automate creating firewall rules?How to match properly against an IP set of type 'hash:ip,port'?Google Cloud Platform: Remove the firewall rule that allowed traffic to all of the instancesIPSET matching unavailable for one linux installation, but not another… and only IPv4 is affectedHow to add a firewalld rich rule that will allow only 2 FTP connections per minute to the FTP server?How to import multiple ip's to Ipset?

Is bread bad for ducks?

Return to UK after being refused entry years previously

What are the motivations for publishing new editions of an existing textbook, beyond new discoveries in a field?

Button changing it's text & action. Good or terrible?

Are there incongruent pythagorean triangles with the same perimeter and same area?

What does Linus Torvalds mean when he says that Git "never ever" tracks a file?

If I score a critical hit on an 18 or higher, what are my chances of getting a critical hit if I roll 3d20?

Delete all lines which don't have n characters before delimiter

How come people say “Would of”?

What is the closest word meaning "respect for time / mindful"

A poker game description that does not feel gimmicky

Are children permitted to help build the Beis Hamikdash?

One word riddle: Vowel in the middle

What did it mean to "align" a radio?

Protecting Dualbooting Windows from dangerous code (like rm -rf)

Time travel alters history but people keep saying nothing's changed

Pokemon Turn Based battle (Python)

Why did Acorn's A3000 have red function keys?

How to notate time signature switching consistently every measure

Does a dangling wire really electrocute me if I'm standing in water?

How to support a colleague who finds meetings extremely tiring?

What does ひと匙 mean in this manga and has it been used colloquially?

Why hard-Brexiteers don't insist on a hard border to prevent illegal immigration after Brexit?

Falsification in Math vs Science



ipset How to add IP range from x to y



The 2019 Stack Overflow Developer Survey Results Are Iniptables… blocking a range without flooding ipset set with IPsWebserver establishing new outgoing connections from port 443How can I let ipset entries “age”?blocking all but specific ips from specific services in CentOS 7how to automate creating firewall rules?How to match properly against an IP set of type 'hash:ip,port'?Google Cloud Platform: Remove the firewall rule that allowed traffic to all of the instancesIPSET matching unavailable for one linux installation, but not another… and only IPv4 is affectedHow to add a firewalld rich rule that will allow only 2 FTP connections per minute to the FTP server?How to import multiple ip's to Ipset?



.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty margin-bottom:0;








1















I need to add this 81.212.0.0/14 ip range to ipset. But it doesnt calculate lower than /16.
I want to add from 81.212.0.0 to 81.215.255.255 IP addresses. Is there any other way but /14.



Im trying to allow connections from a specific IP range.



What I tried:




ipset -A allowiplist 81.212.0.0/14




What I expected:




That should allow connections between 81.212.0.0 - 81.215.255.255
P.S: All other rules works fine except but this.




I think the problem is 81.212.0.0/14 have bigger IP count than 65535, maybe idk.






linux firewall ipset







share|improve this question









New contributor




Sezer Toker is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.




















  • Sorry but that makes no sense. Please proof-read, and fix. Then show us what you have tried, and what happened.

    – ctrl-alt-delor
    Apr 7 at 11:09











  • It may help to edit your question and show examples of what commands you're trying to run, and what the output is. Remember, don't put in screenshots, but cut'n'paste the text itself.

    – Stephen Harris
    Apr 7 at 11:31











  • Added them now. Thanks.

    – Sezer Toker
    Apr 7 at 11:49

















1















I need to add this 81.212.0.0/14 ip range to ipset. But it doesnt calculate lower than /16.
I want to add from 81.212.0.0 to 81.215.255.255 IP addresses. Is there any other way but /14.



Im trying to allow connections from a specific IP range.



What I tried:




ipset -A allowiplist 81.212.0.0/14




What I expected:




That should allow connections between 81.212.0.0 - 81.215.255.255
P.S: All other rules works fine except but this.




I think the problem is 81.212.0.0/14 have bigger IP count than 65535, maybe idk.






linux firewall ipset







share|improve this question









New contributor




Sezer Toker is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.




















  • Sorry but that makes no sense. Please proof-read, and fix. Then show us what you have tried, and what happened.

    – ctrl-alt-delor
    Apr 7 at 11:09











  • It may help to edit your question and show examples of what commands you're trying to run, and what the output is. Remember, don't put in screenshots, but cut'n'paste the text itself.

    – Stephen Harris
    Apr 7 at 11:31











  • Added them now. Thanks.

    – Sezer Toker
    Apr 7 at 11:49













1












1








1








I need to add this 81.212.0.0/14 ip range to ipset. But it doesnt calculate lower than /16.
I want to add from 81.212.0.0 to 81.215.255.255 IP addresses. Is there any other way but /14.



Im trying to allow connections from a specific IP range.



What I tried:




ipset -A allowiplist 81.212.0.0/14




What I expected:




That should allow connections between 81.212.0.0 - 81.215.255.255
P.S: All other rules works fine except but this.




I think the problem is 81.212.0.0/14 have bigger IP count than 65535, maybe idk.






linux firewall ipset







share|improve this question









New contributor




Sezer Toker is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.












I need to add this 81.212.0.0/14 ip range to ipset. But it doesnt calculate lower than /16.
I want to add from 81.212.0.0 to 81.215.255.255 IP addresses. Is there any other way but /14.



Im trying to allow connections from a specific IP range.



What I tried:




ipset -A allowiplist 81.212.0.0/14




What I expected:




That should allow connections between 81.212.0.0 - 81.215.255.255
P.S: All other rules works fine except but this.




I think the problem is 81.212.0.0/14 have bigger IP count than 65535, maybe idk.






linux firewall ipset




linux firewall ipset






share|improve this question









New contributor




Sezer Toker is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.











share|improve this question









New contributor




Sezer Toker is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.









share|improve this question




share|improve this question








edited Apr 7 at 11:48







Sezer Toker













New contributor




Sezer Toker is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.









asked Apr 7 at 10:47









Sezer TokerSezer Toker

83




83




New contributor




Sezer Toker is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.





New contributor





Sezer Toker is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.






Sezer Toker is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.












  • Sorry but that makes no sense. Please proof-read, and fix. Then show us what you have tried, and what happened.

    – ctrl-alt-delor
    Apr 7 at 11:09











  • It may help to edit your question and show examples of what commands you're trying to run, and what the output is. Remember, don't put in screenshots, but cut'n'paste the text itself.

    – Stephen Harris
    Apr 7 at 11:31











  • Added them now. Thanks.

    – Sezer Toker
    Apr 7 at 11:49

















  • Sorry but that makes no sense. Please proof-read, and fix. Then show us what you have tried, and what happened.

    – ctrl-alt-delor
    Apr 7 at 11:09











  • It may help to edit your question and show examples of what commands you're trying to run, and what the output is. Remember, don't put in screenshots, but cut'n'paste the text itself.

    – Stephen Harris
    Apr 7 at 11:31











  • Added them now. Thanks.

    – Sezer Toker
    Apr 7 at 11:49
















Sorry but that makes no sense. Please proof-read, and fix. Then show us what you have tried, and what happened.

– ctrl-alt-delor
Apr 7 at 11:09





Sorry but that makes no sense. Please proof-read, and fix. Then show us what you have tried, and what happened.

– ctrl-alt-delor
Apr 7 at 11:09













It may help to edit your question and show examples of what commands you're trying to run, and what the output is. Remember, don't put in screenshots, but cut'n'paste the text itself.

– Stephen Harris
Apr 7 at 11:31





It may help to edit your question and show examples of what commands you're trying to run, and what the output is. Remember, don't put in screenshots, but cut'n'paste the text itself.

– Stephen Harris
Apr 7 at 11:31













Added them now. Thanks.

– Sezer Toker
Apr 7 at 11:49





Added them now. Thanks.

– Sezer Toker
Apr 7 at 11:49










2 Answers
2






active

oldest

votes


















0















I think the problem is 81.212.0.0/14 have bigger IP count than 65535, maybe idk.




You may be exactly correct here. If you are using an IPset of type hash, it has a maximal number of elements it can store, settable by the maxelem parameter when creating the IPset... and the default value for maxelem is 65536. And if you use a hash of type bitmap, 65536 addresses is the maximum size of the map.



But what are you using the IPset for? If you are simply matching against the whole /14 segment, a hash-based IPset will be much less efficient than a simple network address & mask-based match.



But if you are just setting up an initial set and planning to later selectively knock out specific IP addresses from it, then it would make sense to use an IPset.



Even so, if the number of knocked-out IPs is expected to be relatively small, it might be sensible to invert the sense of whatever you're doing and use a mask-based match as the general rule and the IPset-based match as exceptions to it.



Something like:



iptables -N maybeAllow81_212
iptables -A maybeAllow81_212 -m set --match-set denyiplist_81_212 src -j DROP
iptables -A maybeAllow81_212 -j ACCEPT

iptables -A INPUT -s 81.212.0.0/14 -j maybeAllow81_212


This way, any traffic that is not coming from within the 81.212.0.0/14 can be processed in the main INPUT chain with essentially just two assembler instructions: one 32-bit AND and one 32-bit comparision. You cannot get much faster than that.



Any traffic from within that segment gets diverted to the maybeAllow81_212 subchain which will do the hash match (with an inverted, hopefully much smaller set to match against with!) and then allow everyone who doesn't match the set to pass.






share|improve this answer























  • Maybe I haven't understood you well but in a hash:net type ipset a 81.212.0.0/14 network is only one element, not the whole 262k addresses (like it would be in a bitmap:ip type), therefore the maxelem's (configurable) limit of 65535 does not apply to OP's case.

    – LL3
    Apr 7 at 12:33











  • Whoops, sorry, never mind. I only just noticed that you were referring to hash types in general, not specifically the hash:net one

    – LL3
    Apr 7 at 14:32


















0














That can only be because your allowiplist set is of type bitmap:ip (any one of its sub-types), which only allows /16 networks at most, or of type hash:ip (again any one of its sub-types) with the default limit of 65535 elements.



You can see what exact type your set is with:



ipset -t list allowiplist


You rather need to use (any one of) the hash:net ipset types to go lower than /16 networks.



However, the hash:net types do not accept true ranges like e.g. 81.212.5.13-81.212.7.4 like bitmap:ip or hash:ip types do.



You could extend the hash:ip types maxelem limit, but it wouldn't make for an efficient solution.



So if you really need ranges that overlap beyond /16 networks I would advise to use the iptables's own -m iprange match type, if it's possible for your overall setup.






share|improve this answer

























    Your Answer








    StackExchange.ready(function()
    var channelOptions =
    tags: "".split(" "),
    id: "106"
    ;
    initTagRenderer("".split(" "), "".split(" "), channelOptions);

    StackExchange.using("externalEditor", function()
    // Have to fire editor after snippets, if snippets enabled
    if (StackExchange.settings.snippets.snippetsEnabled)
    StackExchange.using("snippets", function()
    createEditor();
    );

    else
    createEditor();

    );

    function createEditor()
    StackExchange.prepareEditor(
    heartbeatType: 'answer',
    autoActivateHeartbeat: false,
    convertImagesToLinks: false,
    noModals: true,
    showLowRepImageUploadWarning: true,
    reputationToPostImages: null,
    bindNavPrevention: true,
    postfix: "",
    imageUploader:
    brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
    contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
    allowUrls: true
    ,
    onDemand: true,
    discardSelector: ".discard-answer"
    ,immediatelyShowMarkdownHelp:true
    );



    );






    Sezer Toker is a new contributor. Be nice, and check out our Code of Conduct.









    draft saved

    draft discarded


















    StackExchange.ready(
    function ()
    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f511021%2fipset-how-to-add-ip-range-from-x-to-y%23new-answer', 'question_page');

    );

    Post as a guest















    Required, but never shown

























    2 Answers
    2






    active

    oldest

    votes








    2 Answers
    2






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes









    0















    I think the problem is 81.212.0.0/14 have bigger IP count than 65535, maybe idk.




    You may be exactly correct here. If you are using an IPset of type hash, it has a maximal number of elements it can store, settable by the maxelem parameter when creating the IPset... and the default value for maxelem is 65536. And if you use a hash of type bitmap, 65536 addresses is the maximum size of the map.



    But what are you using the IPset for? If you are simply matching against the whole /14 segment, a hash-based IPset will be much less efficient than a simple network address & mask-based match.



    But if you are just setting up an initial set and planning to later selectively knock out specific IP addresses from it, then it would make sense to use an IPset.



    Even so, if the number of knocked-out IPs is expected to be relatively small, it might be sensible to invert the sense of whatever you're doing and use a mask-based match as the general rule and the IPset-based match as exceptions to it.



    Something like:



    iptables -N maybeAllow81_212
    iptables -A maybeAllow81_212 -m set --match-set denyiplist_81_212 src -j DROP
    iptables -A maybeAllow81_212 -j ACCEPT

    iptables -A INPUT -s 81.212.0.0/14 -j maybeAllow81_212


    This way, any traffic that is not coming from within the 81.212.0.0/14 can be processed in the main INPUT chain with essentially just two assembler instructions: one 32-bit AND and one 32-bit comparision. You cannot get much faster than that.



    Any traffic from within that segment gets diverted to the maybeAllow81_212 subchain which will do the hash match (with an inverted, hopefully much smaller set to match against with!) and then allow everyone who doesn't match the set to pass.






    share|improve this answer























    • Maybe I haven't understood you well but in a hash:net type ipset a 81.212.0.0/14 network is only one element, not the whole 262k addresses (like it would be in a bitmap:ip type), therefore the maxelem's (configurable) limit of 65535 does not apply to OP's case.

      – LL3
      Apr 7 at 12:33











    • Whoops, sorry, never mind. I only just noticed that you were referring to hash types in general, not specifically the hash:net one

      – LL3
      Apr 7 at 14:32















    0















    I think the problem is 81.212.0.0/14 have bigger IP count than 65535, maybe idk.




    You may be exactly correct here. If you are using an IPset of type hash, it has a maximal number of elements it can store, settable by the maxelem parameter when creating the IPset... and the default value for maxelem is 65536. And if you use a hash of type bitmap, 65536 addresses is the maximum size of the map.



    But what are you using the IPset for? If you are simply matching against the whole /14 segment, a hash-based IPset will be much less efficient than a simple network address & mask-based match.



    But if you are just setting up an initial set and planning to later selectively knock out specific IP addresses from it, then it would make sense to use an IPset.



    Even so, if the number of knocked-out IPs is expected to be relatively small, it might be sensible to invert the sense of whatever you're doing and use a mask-based match as the general rule and the IPset-based match as exceptions to it.



    Something like:



    iptables -N maybeAllow81_212
    iptables -A maybeAllow81_212 -m set --match-set denyiplist_81_212 src -j DROP
    iptables -A maybeAllow81_212 -j ACCEPT

    iptables -A INPUT -s 81.212.0.0/14 -j maybeAllow81_212


    This way, any traffic that is not coming from within the 81.212.0.0/14 can be processed in the main INPUT chain with essentially just two assembler instructions: one 32-bit AND and one 32-bit comparision. You cannot get much faster than that.



    Any traffic from within that segment gets diverted to the maybeAllow81_212 subchain which will do the hash match (with an inverted, hopefully much smaller set to match against with!) and then allow everyone who doesn't match the set to pass.






    share|improve this answer























    • Maybe I haven't understood you well but in a hash:net type ipset a 81.212.0.0/14 network is only one element, not the whole 262k addresses (like it would be in a bitmap:ip type), therefore the maxelem's (configurable) limit of 65535 does not apply to OP's case.

      – LL3
      Apr 7 at 12:33











    • Whoops, sorry, never mind. I only just noticed that you were referring to hash types in general, not specifically the hash:net one

      – LL3
      Apr 7 at 14:32













    0












    0








    0








    I think the problem is 81.212.0.0/14 have bigger IP count than 65535, maybe idk.




    You may be exactly correct here. If you are using an IPset of type hash, it has a maximal number of elements it can store, settable by the maxelem parameter when creating the IPset... and the default value for maxelem is 65536. And if you use a hash of type bitmap, 65536 addresses is the maximum size of the map.



    But what are you using the IPset for? If you are simply matching against the whole /14 segment, a hash-based IPset will be much less efficient than a simple network address & mask-based match.



    But if you are just setting up an initial set and planning to later selectively knock out specific IP addresses from it, then it would make sense to use an IPset.



    Even so, if the number of knocked-out IPs is expected to be relatively small, it might be sensible to invert the sense of whatever you're doing and use a mask-based match as the general rule and the IPset-based match as exceptions to it.



    Something like:



    iptables -N maybeAllow81_212
    iptables -A maybeAllow81_212 -m set --match-set denyiplist_81_212 src -j DROP
    iptables -A maybeAllow81_212 -j ACCEPT

    iptables -A INPUT -s 81.212.0.0/14 -j maybeAllow81_212


    This way, any traffic that is not coming from within the 81.212.0.0/14 can be processed in the main INPUT chain with essentially just two assembler instructions: one 32-bit AND and one 32-bit comparision. You cannot get much faster than that.



    Any traffic from within that segment gets diverted to the maybeAllow81_212 subchain which will do the hash match (with an inverted, hopefully much smaller set to match against with!) and then allow everyone who doesn't match the set to pass.






    share|improve this answer














    I think the problem is 81.212.0.0/14 have bigger IP count than 65535, maybe idk.




    You may be exactly correct here. If you are using an IPset of type hash, it has a maximal number of elements it can store, settable by the maxelem parameter when creating the IPset... and the default value for maxelem is 65536. And if you use a hash of type bitmap, 65536 addresses is the maximum size of the map.



    But what are you using the IPset for? If you are simply matching against the whole /14 segment, a hash-based IPset will be much less efficient than a simple network address & mask-based match.



    But if you are just setting up an initial set and planning to later selectively knock out specific IP addresses from it, then it would make sense to use an IPset.



    Even so, if the number of knocked-out IPs is expected to be relatively small, it might be sensible to invert the sense of whatever you're doing and use a mask-based match as the general rule and the IPset-based match as exceptions to it.



    Something like:



    iptables -N maybeAllow81_212
    iptables -A maybeAllow81_212 -m set --match-set denyiplist_81_212 src -j DROP
    iptables -A maybeAllow81_212 -j ACCEPT

    iptables -A INPUT -s 81.212.0.0/14 -j maybeAllow81_212


    This way, any traffic that is not coming from within the 81.212.0.0/14 can be processed in the main INPUT chain with essentially just two assembler instructions: one 32-bit AND and one 32-bit comparision. You cannot get much faster than that.



    Any traffic from within that segment gets diverted to the maybeAllow81_212 subchain which will do the hash match (with an inverted, hopefully much smaller set to match against with!) and then allow everyone who doesn't match the set to pass.







    share|improve this answer












    share|improve this answer



    share|improve this answer










    answered Apr 7 at 12:21









    telcoMtelcoM

    20.8k12452




    20.8k12452












    • Maybe I haven't understood you well but in a hash:net type ipset a 81.212.0.0/14 network is only one element, not the whole 262k addresses (like it would be in a bitmap:ip type), therefore the maxelem's (configurable) limit of 65535 does not apply to OP's case.

      – LL3
      Apr 7 at 12:33











    • Whoops, sorry, never mind. I only just noticed that you were referring to hash types in general, not specifically the hash:net one

      – LL3
      Apr 7 at 14:32

















    • Maybe I haven't understood you well but in a hash:net type ipset a 81.212.0.0/14 network is only one element, not the whole 262k addresses (like it would be in a bitmap:ip type), therefore the maxelem's (configurable) limit of 65535 does not apply to OP's case.

      – LL3
      Apr 7 at 12:33











    • Whoops, sorry, never mind. I only just noticed that you were referring to hash types in general, not specifically the hash:net one

      – LL3
      Apr 7 at 14:32
















    Maybe I haven't understood you well but in a hash:net type ipset a 81.212.0.0/14 network is only one element, not the whole 262k addresses (like it would be in a bitmap:ip type), therefore the maxelem's (configurable) limit of 65535 does not apply to OP's case.

    – LL3
    Apr 7 at 12:33





    Maybe I haven't understood you well but in a hash:net type ipset a 81.212.0.0/14 network is only one element, not the whole 262k addresses (like it would be in a bitmap:ip type), therefore the maxelem's (configurable) limit of 65535 does not apply to OP's case.

    – LL3
    Apr 7 at 12:33













    Whoops, sorry, never mind. I only just noticed that you were referring to hash types in general, not specifically the hash:net one

    – LL3
    Apr 7 at 14:32





    Whoops, sorry, never mind. I only just noticed that you were referring to hash types in general, not specifically the hash:net one

    – LL3
    Apr 7 at 14:32













    0














    That can only be because your allowiplist set is of type bitmap:ip (any one of its sub-types), which only allows /16 networks at most, or of type hash:ip (again any one of its sub-types) with the default limit of 65535 elements.



    You can see what exact type your set is with:



    ipset -t list allowiplist


    You rather need to use (any one of) the hash:net ipset types to go lower than /16 networks.



    However, the hash:net types do not accept true ranges like e.g. 81.212.5.13-81.212.7.4 like bitmap:ip or hash:ip types do.



    You could extend the hash:ip types maxelem limit, but it wouldn't make for an efficient solution.



    So if you really need ranges that overlap beyond /16 networks I would advise to use the iptables's own -m iprange match type, if it's possible for your overall setup.






    share|improve this answer





























      0














      That can only be because your allowiplist set is of type bitmap:ip (any one of its sub-types), which only allows /16 networks at most, or of type hash:ip (again any one of its sub-types) with the default limit of 65535 elements.



      You can see what exact type your set is with:



      ipset -t list allowiplist


      You rather need to use (any one of) the hash:net ipset types to go lower than /16 networks.



      However, the hash:net types do not accept true ranges like e.g. 81.212.5.13-81.212.7.4 like bitmap:ip or hash:ip types do.



      You could extend the hash:ip types maxelem limit, but it wouldn't make for an efficient solution.



      So if you really need ranges that overlap beyond /16 networks I would advise to use the iptables's own -m iprange match type, if it's possible for your overall setup.






      share|improve this answer



























        0












        0








        0







        That can only be because your allowiplist set is of type bitmap:ip (any one of its sub-types), which only allows /16 networks at most, or of type hash:ip (again any one of its sub-types) with the default limit of 65535 elements.



        You can see what exact type your set is with:



        ipset -t list allowiplist


        You rather need to use (any one of) the hash:net ipset types to go lower than /16 networks.



        However, the hash:net types do not accept true ranges like e.g. 81.212.5.13-81.212.7.4 like bitmap:ip or hash:ip types do.



        You could extend the hash:ip types maxelem limit, but it wouldn't make for an efficient solution.



        So if you really need ranges that overlap beyond /16 networks I would advise to use the iptables's own -m iprange match type, if it's possible for your overall setup.






        share|improve this answer















        That can only be because your allowiplist set is of type bitmap:ip (any one of its sub-types), which only allows /16 networks at most, or of type hash:ip (again any one of its sub-types) with the default limit of 65535 elements.



        You can see what exact type your set is with:



        ipset -t list allowiplist


        You rather need to use (any one of) the hash:net ipset types to go lower than /16 networks.



        However, the hash:net types do not accept true ranges like e.g. 81.212.5.13-81.212.7.4 like bitmap:ip or hash:ip types do.



        You could extend the hash:ip types maxelem limit, but it wouldn't make for an efficient solution.



        So if you really need ranges that overlap beyond /16 networks I would advise to use the iptables's own -m iprange match type, if it's possible for your overall setup.







        share|improve this answer














        share|improve this answer



        share|improve this answer








        edited Apr 7 at 14:25

























        answered Apr 7 at 12:15









        LL3LL3

        1,1999




        1,1999




















            Sezer Toker is a new contributor. Be nice, and check out our Code of Conduct.









            draft saved

            draft discarded


















            Sezer Toker is a new contributor. Be nice, and check out our Code of Conduct.












            Sezer Toker is a new contributor. Be nice, and check out our Code of Conduct.











            Sezer Toker is a new contributor. Be nice, and check out our Code of Conduct.














            Thanks for contributing an answer to Unix & Linux Stack Exchange!


            • Please be sure to answer the question. Provide details and share your research!

            But avoid


            • Asking for help, clarification, or responding to other answers.

            • Making statements based on opinion; back them up with references or personal experience.

            To learn more, see our tips on writing great answers.




            draft saved


            draft discarded














            StackExchange.ready(
            function ()
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f511021%2fipset-how-to-add-ip-range-from-x-to-y%23new-answer', 'question_page');

            );

            Post as a guest















            Required, but never shown





















































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown

































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown







            -

            Popular posts from this blog

            Àrd-bhaile Cathair chruinne/Baile mòr cruinne | Artagailean ceangailte | Clàr-taice na seòladaireachd

            Image
            Cruinn-eòlas àrd-chathaircathairbailesgaoileadheaconamachphoilitigeachchultarachroinndhùthcharìgh-chathairdlùth-chruinneasionmhas cruinneconaltradhsiubhalsòiseo-eacanomaigeachLunnainnan t-saoghalAn RòimhConstantinopleDamascusNanjing Àrd-bhaile O Uicipeid Jump to navigation Jump to search Shanghai 'S e a th' ann an àrd-bhaile no àrd-chathair ach cathair, no baile, a tha mòr dha-rìreabh, le tuilleadh air leth-mhillean luchd-còmhnaidh anns a' chathair-bhaile fhèin, agus le co-dhiù millean daoine a' fuireach mun cuairt air. Tha na bailtean mòra a thèid a ghabhail a-steach ann an sgaoileadh àrd-bhaile gam meas mar phàirt dheth, 's chan ann nan àrd-bhailtean iad fhèin, a chionn 's nach eil iad aig cridhe an sgaoilidh bhailteil sin. Mar as trice, tha àrd-bhaile ann an teis-mheadhan gnothaichean eaconamach, agus aig cridhe cùisean...
            Read more

            대한민국 목차 국명 지리 역사 정치 국방 경제 사회 문화 국제 순위 관련 항목 각주 외부 링크 둘러보기 메뉴북위 37° 34′ 08″ 동경 126° 58′ 36″ / 북위 37.568889° 동경 126.976667°  / 37.568889; 126.976667ehThe Korean Repository문단을 편집문단을 편집추가해Clarkson PLC 사Report for Selected Countries and Subjects-Korea“Human Development Index and its components: P.198”“http://www.law.go.kr/%EB%B2%95%EB%A0%B9/%EB%8C%80%ED%95%9C%EB%AF%BC%EA%B5%AD%EA%B5%AD%EA%B8%B0%EB%B2%95”"한국은 국제법상 한반도 유일 합법정부 아니다" - 오마이뉴스 모바일Report for Selected Countries and Subjects: South Korea격동의 역사와 함께한 조선일보 90년 : 조선일보 인수해 혁신시킨 신석우, 임시정부 때는 '대한민국' 국호(國號) 정해《우리가 몰랐던 우리 역사: 나라 이름의 비밀을 찾아가는 역사 여행》“남북 공식호칭 ‘남한’‘북한’으로 쓴다”“Corea 대 Korea, 누가 이긴 거야?”국내기후자료 - 한국[김대중 前 대통령 서거] 과감한 구조개혁 'DJ노믹스'로 최단기간 환란극복 :: 네이버 뉴스“이라크 "韓-쿠르드 유전개발 MOU 승인 안해"(종합)”“해외 우리국민 추방사례 43%가 일본”차기전차 K2'흑표'의 세계 최고 전력 분석, 쿠키뉴스 엄기영, 2007-03-02두산인프라, 헬기잡는 장갑차 'K21'...내년부터 공급, 고뉴스 이대준, 2008-10-30과거 내용 찾기mk 뉴스 - 구매력 기준으로 보면 한국 1인당 소득 3만弗과거 내용 찾기"The N-11: More Than an Acronym"Archived조선일보 최우석, 2008-11-01Global 500 2008: Countries - South Korea“몇년째 '시한폭탄'... 가계부채, 올해는 터질까”가구당 부채 5000만원 처음 넘어서“‘빚’으로 내몰리는 사회.. 위기의 가계대출”“[경제365] 공공부문 부채 급증…800조 육박”“"소득 양극화 다소 완화...불평등은 여전"”“공정사회·공생발전 한참 멀었네”iSuppli,08年2QのDRAMシェア・ランキングを発表(08/8/11)South Korea dominates shipbuilding industry | Stock Market News & Stocks to Watch from StraightStocks한국 자동차 생산, 3년 연속 세계 5위자동차수출 '현대-삼성 웃고 기아-대우-쌍용은 울고' 과거 내용 찾기동반성장위 창립 1주년 맞아Archived"중기적합 3개업종 합의 무시한 채 선정"李대통령, 사업 무분별 확장 소상공인 생계 위협 질타삼성-LG, 서민업종인 빵·분식사업 잇따라 철수상생은 뒷전…SSM ‘몸집 불리기’ 혈안Archived“경부고속도에 '아시안하이웨이' 표지판”'철의 실크로드' 앞서 '말(言)의 실크로드'부터, 프레시안 정창현, 2008-10-01“'서울 지하철은 안전한가?'”“서울시 “올해 안에 모든 지하철역 스크린도어 설치””“부산지하철 1,2호선 승강장 안전펜스 설치 완료”“전교조, 정부 노조 통계서 처음 빠져”“[Weekly BIZ] 도요타 '제로 이사회'가 리콜 사태 불러들였다”“S Korea slams high tuition costs”““정치가 여론 양극화 부채질… 합리주의 절실””“〈"`촛불집회'는 민주주의의 질적 변화 상징"〉”““촛불집회가 민주주의 왜곡 초래””“국민 65%, "한국 노사관계 대립적"”“한국 국가경쟁력 27위‥노사관계 '꼴찌'”“제대로 형성되지 않은 대한민국 이념지형”“[신년기획-갈등의 시대] 갈등지수 OECD 4위…사회적 손실 GDP 27% 무려 300조”“2012 총선-대선의 키워드는 '국민과 소통'”“한국 삶의 질 27위, 2000년과 2008년 연속 하위권 머물러”“[해피 코리아] 행복점수 68점…해외 평가선 '낙제점'”“한국 어린이·청소년 행복지수 3년 연속 OECD ‘꼴찌’”“한국 이혼율 OECD중 8위”“[통계청] 한국 이혼율 OECD 4위”“오피니언 [이렇게 생각한다] `부부의 날` 에 돌아본 이혼율 1위 한국”“Suicide Rates by Country, Global Health Observatory Data Repository.”“1. 또 다른 차별”“오피니언 [편집자에게] '왕따'와 '패거리 정치' 심리는 닮은꼴”“[미래한국리포트] 무한경쟁에 빠진 대한민국”“대학생 98% "외모가 경쟁력이라는 말 동의"”“특급호텔 웨딩·200만원대 유모차… "남보다 더…" 호화病, 고질병 됐다”“[스트레스 공화국] ① 경쟁사회, 스트레스 쌓인다”““매일 30여명 자살 한국, 의사보다 무속인에…””“"자살 부르는 '우울증', 환자 중 85% 치료 안 받아"”“정신병원을 가다”“대한민국도 ‘묻지마 범죄’,안전지대 아니다”“유엔 "학생 '성적 지향'에 따른 차별 금지하라"”“유엔아동권리위원회 보고서 및 번역본 원문”“고졸 성공스토리 담은 '제빵왕 김탁구' 드라마 나온다”“‘빛 좋은 개살구’ 고졸 취업…실습 대신 착취”원본 문서“정신건강, 사회적 편견부터 고쳐드립니다”‘소통’과 ‘행복’에 목 마른 사회가 잠들어 있던 ‘심리학’ 깨웠다“[포토] 사유리-곽금주 교수의 유쾌한 심리상담”“"올해 한국인 평균 영화관람횟수 세계 1위"(종합)”“[게임연중기획] 게임은 문화다-여가활동 1순위 게임”“영화속 ‘영어 지상주의’ …“왠지 씁쓸한데””“2월 `신문 부수 인증기관` 지정..방송법 후속작업”“무료신문 성장동력 ‘차별성’과 ‘갈등해소’”대한민국 국회 법률지식정보시스템"Pew Research Center's Religion & Public Life Project: South Korea"“amp;vwcd=MT_ZTITLE&path=인구·가구%20>%20인구총조사%20>%20인구부문%20>%20 총조사인구(2005)%20>%20전수부문&oper_YN=Y&item=&keyword=종교별%20인구& amp;lang_mode=kor&list_id= 2005년 통계청 인구 총조사”원본 문서“한국인이 좋아하는 취미와 운동 (2004-2009)”“한국인이 좋아하는 취미와 운동 (2004-2014)”Archived“한국, `부분적 언론자유국' 강등〈프리덤하우스〉”“국경없는기자회 "한국, 인터넷감시 대상국"”“한국, 조선산업 1위 유지(S. Korea Stays Top Shipbuilding Nation) RZD-Partner Portal”원본 문서“한국, 4년 만에 ‘선박건조 1위’”“옛 마산시,인터넷속도 세계 1위”“"한국 초고속 인터넷망 세계1위"”“인터넷·휴대폰 요금, 외국보다 훨씬 비싸”“한국 관세행정 6년 연속 세계 '1위'”“한국 교통사고 사망자 수 OECD 회원국 중 2위”“결핵 후진국' 한국, 환자가 급증한 이유는”“수술은 신중해야… 자칫하면 생명 위협”대한민국분류대한민국의 지도대한민국 정부대표 다국어포털대한민국 전자정부대한민국 국회한국방송공사about korea and information korea브리태니커 백과사전(한국편)론리플래닛의 정보(한국편)CIA의 세계 정보(한국편)마리암 부디아 (Mariam Budia),『한국: 하늘이 내린 한 폭의 그림』, 서울: 트랜스라틴 19호 (2012년 3월)대한민국ehehehehehehehehehehehehehehWorldCat132441370n791268020000 0001 2308 81034078029-6026373548cb11863345f(데이터)00573706ge128495

            Image
            고조선원삼국 시대삼국 시대남북국 시대후삼국 시대고려조선대한제국일제 강점기대한민국 임시 정부한반도 분단미군정개요제1공화국제2공화국제3공화국제4공화국제5공화국제6공화국4.3 사건6.25 전쟁4.19 혁명5.16 쿠테타한강의 기적부마 항쟁10.26 사태12.12 사태광주 민주화 운동6월 항쟁1988년 서울올림픽IMF 외환...
            Read more

            Cannot Extend partition with GParted The 2019 Stack Overflow Developer Survey Results Are In Announcing the arrival of Valued Associate #679: Cesar Manara Planned maintenance scheduled April 17/18, 2019 at 00:00UTC (8:00pm US/Eastern) 2019 Community Moderator Election ResultsCan't increase partition size with GParted?GParted doesn't recognize the unallocated space after my current partitionWhat is the best way to add unallocated space located before to Ubuntu 12.04 partition with GParted live?I can't figure out how to extend my Arch home partition into free spaceGparted Linux Mint 18.1 issueTrying to extend but swap partition is showing as Unknown in Gparted, shows proper from fdiskRearrange partitions in gparted to extend a partitionUnable to extend partition even though unallocated space is next to it using GPartedAllocate free space to root partitiongparted: how to merge unallocated space with a partition

            Image
            Make it rain characters Keeping a retro style to sci-fi spaceships? How to split my screen on my Macbook Air? How can I define good in a religion that claims no moral authority? does high air pressure throw off wheel balance? Scientific Reports - Significant Figures Relations between two reciprocal partial derivatives? How to delete random line from file using Unix command? How did passengers keep warm on sail ships? How are presidential pardons supposed to be used? Are my PIs rude or am I just being too sensitive? He got a vote 80% that of Emmanuel Macron’s Change bounding box of math glyphs in LuaTeX Match Roman Numerals Was credit for the black hole image misattributed? How to pronounce 1ターン? how can a perfect fourth interval be considered either consonant or dissonant? Working through the single responsibility principle (SRP) in Python when calls are expensive High Q peak in frequency response means what in time domain? ...
            Read more