From owner-freebsd-net@freebsd.org Fri May 11 15:28:27 2018 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 39AD7FDA6B9 for ; Fri, 11 May 2018 15:28:27 +0000 (UTC) (envelope-from list+org.freebsd.net@io7m.com) Received: from mail.io7m.com (mail.io7m.com [IPv6:2001:19f0:5:752:f000::]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mail.io7m.com", Issuer "arc7 CA" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id D997980929 for ; Fri, 11 May 2018 15:28:26 +0000 (UTC) (envelope-from list+org.freebsd.net@io7m.com) Received: from almond.int.arc7.info (unknown [IPv6:2a02:390:7502:2:0:2:4:0]) by mail.io7m.com (Postfix) with ESMTPSA id 5974D3F59 for ; Fri, 11 May 2018 15:28:19 +0000 (UTC) Date: Fri, 11 May 2018 16:28:09 +0100 From: Mark Raynsford To: freebsd-net@freebsd.org Subject: pf: Efficiently specifying discontinuous IPv6 ranges Message-ID: <20180511162809.4b59ef02@almond.int.arc7.info> Organization: io7m.com OpenPGP: id=B84E17747616C6174C68D5E55C1A7B712812CC05; url=http://io7m.com/pgp/B84E_1774_7616_C617_4C68_D5E5_5C1A_7B71_2812_CC05.key MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; boundary="Sig_/IoO9lXejA+jdbki2Vt0J+CX"; protocol="application/pgp-signature" X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 11 May 2018 15:28:27 -0000 --Sig_/IoO9lXejA+jdbki2Vt0J+CX Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: quoted-printable Hello. Let's say I have a host and I want to restrict access to that host to a discontinuous range of IPv6 addresses. For example, let's say I want to allow access to a host from addresses [2a00:1450:400c::, 2a00:1450:400c::1000], [2a04:4e42:600::200, 2a04:4e42:600::400], and individually 2001:1900:2254:206a::50:0, 2001:19f0:5:61d:f000::, and 2001:4998:58:1836::10. I could try this: good_0 =3D "2a00:1450:400c:: - 2a00:1450:400c::1000" good_1 =3D "2a04:4e42:600::200 - 2a04:4e42:600::400" good_2 =3D 2001:1900:2254:206a::50:0 good_3 =3D 2001:19f0:5:61d:f000:: good_4 =3D 2001:4998:58:1836::10 table =3D { \ $good_0, \ $good_1, \ $good_2, \ $good_3, \ $good_4 \ } pass in from to me ... This, however, won't work because IPv6 address ranges are not allowed in tables. I could try this: good_0 =3D 2a00:1450:400c:: - 2a00:1450:400c::1000 good_1 =3D 2a04:4e42:600::200 - 2a04:4e42:600::400 good_2 =3D 2001:1900:2254:206a::50:0 good_3 =3D 2001:19f0:5:61d:f000:: good_4 =3D 2001:4998:58:1836::10 good_users =3D "{ \ $good_0, \ $good_1, \ $good_2, \ $good_3, \ $good_4 \ }" pass in from $good_users> to me ... This won't work either, because macros can't be nested like that: The $good_0, $good_1 references won't be expanded. I could perhaps insert all of the addresses into a persistent table one-by-one outside of the pf.conf file (with pfctl -T add), but I'm wary of doing this because the real range of addresses I want to allow would result in billions of addresses being inserted. That sounds like a bad idea. I could also manually write one pf rule per address and range of addresses, but this would be painful and a serious maintenance burden. Is there no way to specify a set of ranges and individual addresses without having to write one pf rule for each? --=20 Mark Raynsford | http://www.io7m.com --Sig_/IoO9lXejA+jdbki2Vt0J+CX Content-Type: application/pgp-signature Content-Description: OpenPGP digital signature -----BEGIN PGP SIGNATURE----- iHUEARYKAB0WIQS4Thd0dhbGF0xo1eVcGntxKBLMBQUCWvW2iQAKCRBcGntxKBLM BbVvAQDtUNynETRCgE7pmrJA79SKrKTnURSSrGMTkMnxI1cxHQEAq8nHwhWyqdGt 4z1E6I0SAPPNtm0KRqZjdM4TS8BHvAc= =uRMt -----END PGP SIGNATURE----- --Sig_/IoO9lXejA+jdbki2Vt0J+CX--