From owner-freebsd-ipfw@FreeBSD.ORG  Tue May  6 09:00:48 2008
Return-Path: <owner-freebsd-ipfw@FreeBSD.ORG>
Delivered-To: freebsd-ipfw@FreeBSD.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id F18811065672
	for <freebsd-ipfw@FreeBSD.org>; Tue,  6 May 2008 09:00:48 +0000 (UTC)
	(envelope-from bu7cher@yandex.ru)
Received: from smtp3.yandex.ru (smtp3.yandex.ru [213.180.223.87])
	by mx1.freebsd.org (Postfix) with ESMTP id 4FD998FC2D
	for <freebsd-ipfw@FreeBSD.org>; Tue,  6 May 2008 09:00:48 +0000 (UTC)
	(envelope-from bu7cher@yandex.ru)
Received: from ns.kirov.so-cdu.ru ([77.72.136.145]:17613 "EHLO [127.0.0.1]"
	smtp-auth: "bu7cher" TLS-CIPHER: "DHE-RSA-AES256-SHA keybits 256/256
	version TLSv1/SSLv3" TLS-PEER-CN1: <none>) by mail.yandex.ru
	with ESMTP id S4748060AbYEFJAl (ORCPT
	<rfc822;freebsd-ipfw@FreeBSD.org>); Tue, 6 May 2008 13:00:41 +0400
X-Yandex-Spam: 1 
X-Yandex-Front: smtp3
X-Yandex-TimeMark: 1210064441
X-MsgDayCount: 2
X-Comment: RFC 2476 MSA function at smtp3.yandex.ru logged sender identity as:
	bu7cher
Message-ID: <48201E0D.60803@yandex.ru>
Date: Tue, 06 May 2008 12:59:57 +0400
From: "Andrey V. Elsukov" <bu7cher@yandex.ru>
User-Agent: Mozilla Thunderbird 1.5 (FreeBSD/20051231)
MIME-Version: 1.0
To: budsz <budiyt@gmail.com>
References: <4d4dc3640805040840t5725fb4ejfd19da3c3f78ec73@mail.gmail.com>
In-Reply-To: <4d4dc3640805040840t5725fb4ejfd19da3c3f78ec73@mail.gmail.com>
Content-Type: text/plain; charset=KOI8-R; format=flowed
Content-Transfer-Encoding: 7bit
Cc: freebsd-ipfw@FreeBSD.org
Subject: Re: Syntax base IP
X-BeenThere: freebsd-ipfw@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: IPFW Technical Discussions <freebsd-ipfw.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
	<mailto:freebsd-ipfw-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ipfw>
List-Post: <mailto:freebsd-ipfw@freebsd.org>
List-Help: <mailto:freebsd-ipfw-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
	<mailto:freebsd-ipfw-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 06 May 2008 09:00:49 -0000

budsz wrote:
> ipunlimit="192.168.0.100/32,10.35.4.1/32,202.129.189.42/32,\
>            202.129.189.45/32,125.163.77.180/32,202.43.167.70/32,\
>            202.43.167.72/32,202.43.161.119/32,202.10.32.10/32,202.93.20.22/32,\
>            202.93.20.23/32,202.93.20.24/32,122.102.49.132/32,\
>            202.43.161.124/32,202.93.247.26/32,202.93.247.28/32"
> ${fwcmd} add 100 pipe 1 ip from ${ippriviix} to { not ${ipunlimit} }
> ${portlim} via ${ifint0}
> ${fwcmd} add 101 pipe 1 ip from { not ${ipunlimit} } ${portlim} to
> ${ippriviix} via ${ifint0}
> Executing firewall I got error message like this:
> #sh /etc/rc.firewall
> ipfw: opcode 6 size 33 wrong
> ipfw: getsockopt(IP_FW_ADD): Invalid argument
> ipfw: opcode 2 size 33 wrong
> ipfw: getsockopt(IP_FW_ADD): Invalid argument

It means that your src and dst addresses are too long.

> Any clue or suggestion about this syntax?

Try to use lookup tables.

-- 
WBR, Andrey V. Elsukov