ipset in firewall


It would be nice for firewall settings to allow having -j SET as a target together with specified --add-set, --del-set, timeout and exist. It might be also nice to have ability to set static members of such sets (similar to current address-group).

Together with this options there should be a standard option to use such an ipset in a firewall rule (match set / doesn't match set).

This allows for implementation of port knocking in firewall, high performance matching of multiple addreses (like safe lists) and automatic throttling of too prolific scanners.

As an alternative it would be nice to be able to specify raw iptables rule which would survive upgrades


Difficulty level
Unknown (require assessment)
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Feature (new functionality)