Date: Fri, 11 May 2018 16:28:09 +0100 From: Mark Raynsford <list+org.freebsd.net@io7m.com> To: freebsd-net@freebsd.org Subject: pf: Efficiently specifying discontinuous IPv6 ranges Message-ID: <20180511162809.4b59ef02@almond.int.arc7.info>
next in thread | raw e-mail | index | archive | help
--Sig_/IoO9lXejA+jdbki2Vt0J+CX
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: quoted-printable
Hello.
Let's say I have a host and I want to restrict access to that host to a
discontinuous range of IPv6 addresses. For example, let's say I want to
allow access to a host from addresses [2a00:1450:400c::,
2a00:1450:400c::1000], [2a04:4e42:600::200, 2a04:4e42:600::400], and
individually 2001:1900:2254:206a::50:0, 2001:19f0:5:61d:f000::, and
2001:4998:58:1836::10.
I could try this:
good_0 =3D "2a00:1450:400c:: - 2a00:1450:400c::1000"
good_1 =3D "2a04:4e42:600::200 - 2a04:4e42:600::400"
good_2 =3D 2001:1900:2254:206a::50:0
good_3 =3D 2001:19f0:5:61d:f000::
good_4 =3D 2001:4998:58:1836::10
table <good_users> =3D { \
$good_0, \
$good_1, \
$good_2, \
$good_3, \
$good_4 \
}
pass in from <good_users> to me ...
This, however, won't work because IPv6 address ranges are not allowed
in tables.
I could try this:
good_0 =3D 2a00:1450:400c:: - 2a00:1450:400c::1000
good_1 =3D 2a04:4e42:600::200 - 2a04:4e42:600::400
good_2 =3D 2001:1900:2254:206a::50:0
good_3 =3D 2001:19f0:5:61d:f000::
good_4 =3D 2001:4998:58:1836::10
good_users =3D "{ \
$good_0, \
$good_1, \
$good_2, \
$good_3, \
$good_4 \
}"
pass in from $good_users> to me ...
This won't work either, because macros can't be nested like that: The
$good_0, $good_1 references won't be expanded.
I could perhaps insert all of the addresses into a persistent table
one-by-one outside of the pf.conf file (with pfctl -T add), but I'm wary
of doing this because the real range of addresses I want to allow would
result in billions of addresses being inserted. That sounds like a bad
idea.
I could also manually write one pf rule per address and range of
addresses, but this would be painful and a serious maintenance burden.
Is there no way to specify a set of ranges and individual addresses
without having to write one pf rule for each?
--=20
Mark Raynsford | http://www.io7m.com
--Sig_/IoO9lXejA+jdbki2Vt0J+CX
Content-Type: application/pgp-signature
Content-Description: OpenPGP digital signature
-----BEGIN PGP SIGNATURE-----
iHUEARYKAB0WIQS4Thd0dhbGF0xo1eVcGntxKBLMBQUCWvW2iQAKCRBcGntxKBLM
BbVvAQDtUNynETRCgE7pmrJA79SKrKTnURSSrGMTkMnxI1cxHQEAq8nHwhWyqdGt
4z1E6I0SAPPNtm0KRqZjdM4TS8BHvAc=
=uRMt
-----END PGP SIGNATURE-----
--Sig_/IoO9lXejA+jdbki2Vt0J+CX--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20180511162809.4b59ef02>