Does allownets support negative CIDRs?
if order of ips is done in listed order imho yes Example: allow_nets=127.0.0.0/8,192.168.0.0/16,!1.2.3.4,4.5.6.7deny 1.2.3.4 but allow all others listed pr user this does not work with pam pr user, but allownets is genric pr login user if fields are in auth db