Date: Fri, 11 May 2018 08:43:33 -0700 (PDT) From: "Rodney W. Grimes" <freebsd-rwg@pdx.rh.CN85.dnsmgr.net> To: Mark Raynsford <list+org.freebsd.net@io7m.com> Cc: freebsd-net@freebsd.org Subject: Re: pf: Efficiently specifying discontinuous IPv6 ranges Message-ID: <201805111543.w4BFhXTS076071@pdx.rh.CN85.dnsmgr.net> In-Reply-To: <20180511162809.4b59ef02@almond.int.arc7.info>
next in thread | previous in thread | raw e-mail | index | archive | help
> Hello.
>
> Let's say I have a host and I want to restrict access to that host to a
> discontinuous range of IPv6 addresses. For example, let's say I want to
> allow access to a host from addresses [2a00:1450:400c::,
> 2a00:1450:400c::1000], [2a04:4e42:600::200, 2a04:4e42:600::400], and
> individually 2001:1900:2254:206a::50:0, 2001:19f0:5:61d:f000::, and
> 2001:4998:58:1836::10.
>
> I could try this:
>
> good_0 = "2a00:1450:400c:: - 2a00:1450:400c::1000"
> good_1 = "2a04:4e42:600::200 - 2a04:4e42:600::400"
> good_2 = 2001:1900:2254:206a::50:0
> good_3 = 2001:19f0:5:61d:f000::
> good_4 = 2001:4998:58:1836::10
>
> table <good_users> = { \
> $good_0, \
> $good_1, \
> $good_2, \
> $good_3, \
> $good_4 \
> }
>
> pass in from <good_users> to me ...
>
> This, however, won't work because IPv6 address ranges are not allowed
> in tables.
>
> I could try this:
>
> good_0 = 2a00:1450:400c:: - 2a00:1450:400c::1000
> good_1 = 2a04:4e42:600::200 - 2a04:4e42:600::400
> good_2 = 2001:1900:2254:206a::50:0
> good_3 = 2001:19f0:5:61d:f000::
> good_4 = 2001:4998:58:1836::10
>
> good_users = "{ \
> $good_0, \
> $good_1, \
> $good_2, \
> $good_3, \
> $good_4 \
> }"
>
> pass in from $good_users> to me ...
>
> This won't work either, because macros can't be nested like that: The
> $good_0, $good_1 references won't be expanded.
>
> I could perhaps insert all of the addresses into a persistent table
> one-by-one outside of the pf.conf file (with pfctl -T add), but I'm wary
> of doing this because the real range of addresses I want to allow would
> result in billions of addresses being inserted. That sounds like a bad
> idea.
>
> I could also manually write one pf rule per address and range of
> addresses, but this would be painful and a serious maintenance burden.
>
> Is there no way to specify a set of ranges and individual addresses
> without having to write one pf rule for each?
I am not sure what is processing the above syntax, but for /bin/sh
you would need to code this as:
#!/bin/sh
good_0="2a00:1450:400c::-2a00:1450:400c::1000"
good_1="2a04:4e42:600::200-2a04:4e42:600::400"
good_2="2001:1900:2254:206a::50:0"
good_3="2001:19f0:5:61d:f000::"
good_4="2001:4998:58:1836::10"
echo ${good_0}
echo ${good_1}
echo ${good_2}
echo ${good_3}
good_users="${good_0},${good_1},${good_2},${good_3},${good_4}"
echo ${good_users}
To stop nasties like spaces around -'s being token seperators,
same for ,'s when you try to glue good_X togeather, as that
well end up as 4 seperate tokens, which pf may not like.
I see now pf has its own processor, and says it does not
expand macros inside quotes, so perhaps one needs to write
good_users=${good_0},${good_1},${good_2},${good_3},${good_4}
to get the desired effect?
It probably also does not like me sh syntax of ${VARAIBE},
over $VARAIBLE.
Sad it doesnt to use an already well established
standard syntax for these types of things.
> --
> Mark Raynsford | http://www.io7m.com
--
Rod Grimes rgrimes@freebsd.org
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201805111543.w4BFhXTS076071>