Hi, I'm thinking about something like (taken from my home router):
config route option target '103.136.220.0/22' option interface 'wan' option type 'blackhole' config route option target '103.123.116.0/22' option interface 'wan' option type 'blackhole' config route option target '130.44.212.0/22' option interface 'wan' option type 'blackhole' etc. Kudos to you if you spotted these as being ByteDance TikTok servers in China which US subscribers aren't supposed to have their traffic sent to, but (surprise!!!) it still is anyway. A nicer (more compact) notation might be: config route list target '103.123.116.0/22' list target '103.136.220.0/22' list target '130.44.212.0/22' option interface 'wan' option type 'blackhole' So, how about a change to config/route where, if it doesn't find 'option target', then it searches for 'list target' instead, and populates an ipset instead, using that for the match criteria? We could probably do something similar for config/rule in the firewall, for the src_ip, src_port, dst_ip, dst_port, etc. using 'list' instead of 'option', and ipsets to compactly match multiple addresses, ports, etc. But then, firewall would depend on ipset functionality being baked in. On x86_64, this isn't big: -rw-r--r-- 1 philipp philipp 823 May 10 22:15 bin/targets/x86/64/packages/kmod-ipt-ipset_5.4.110-1_x86_64.ipk -rw-r--r-- 1 philipp philipp 2036 Mar 19 16:57 bin/packages/x86_64/base/ipset_7.6-1_x86_64.ipk What do you all think? -Philip _______________________________________________ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel