- push @cmd, "-m iprange --src-range" if $nbsource > 1;
- push @cmd, "-s $rule->{source}" if $rule->{source};
- push @cmd, "-m iprange --dst-range" if $nbdest > 1;
- push @cmd, "-d $rule->{dest}" if $rule->{dest};
+ my $source = $rule->{source};
+ my $dest = $rule->{dest};
+
+ if ($source) {
+ if ($source =~ m/^(\+)(\S+)$/) {
+ die "no such ipset $2" if !$cluster_conf->{ipset}->{$2};
+ push @cmd, "-m set --match-set PVEFW-$2 src";
+
+ } elsif ($source =~ m/\-/){
+ push @cmd, "-m iprange --src-range $source";
+
+ } else {
+ push @cmd, "-s $source";
+ }
+ }
+
+ if ($dest) {
+ if ($dest =~ m/^(\+)(\S+)$/) {
+ die "no such ipset $2" if !$cluster_conf->{ipset}->{$2};
+ push @cmd, "-m set --match-set PVEFW-$2 dst";
+
+ } elsif ($dest =~ m/^(\d+)\.(\d+).(\d+).(\d+)\-(\d+)\.(\d+).(\d+).(\d+)$/){
+ push @cmd, "-m iprange --dst-range $dest";
+
+ } else {
+ push @cmd, "-s $dest";
+ }
+ }