- push @cmd, "-m iprange --src-range" if $nbsource > 1;
- push @cmd, "-s $rule->{source}" if $rule->{source};
- push @cmd, "-m iprange --dst-range" if $nbdest > 1;
- push @cmd, "-d $rule->{dest}" if $rule->{dest};
+ my $source = $rule->{source};
+ my $dest = $rule->{dest};
+
+ if ($source){
+ if($source =~ m/^(\+)(\S+)$/){
+ die "no such netgroup $2" if !$cluster_conf->{ipset}->{$2};
+ push @cmd, "-m set --match-set $2 src";
+
+ }elsif ($source =~ m/^(\d+)\.(\d+).(\d+).(\d+)\-(\d+)\.(\d+).(\d+).(\d+)$/){
+ push @cmd, "-m iprange --src-range $source";
+
+ }else{
+ push @cmd, "-s $source";
+ }
+ }
+
+ if ($dest){
+ if($dest =~ m/^(\+)(\S+)$/){
+ die "no such netgroup $2" if !$cluster_conf->{ipset}->{$2};
+ push @cmd, "-m set --match-set $2 dst";
+
+ }elsif ($dest =~ m/^(\d+)\.(\d+).(\d+).(\d+)\-(\d+)\.(\d+).(\d+).(\d+)$/){
+ push @cmd, "-m iprange --dst-range $dest";
+
+ }else{
+ push @cmd, "-s $dest";
+ }
+ }