From owner-freebsd-net@freebsd.org  Fri May 11 15:43:36 2018
Return-Path: <owner-freebsd-net@freebsd.org>
Delivered-To: freebsd-net@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id A005BFDBBB0
 for <freebsd-net@mailman.ysv.freebsd.org>;
 Fri, 11 May 2018 15:43:36 +0000 (UTC)
 (envelope-from freebsd-rwg@pdx.rh.CN85.dnsmgr.net)
Received: from pdx.rh.CN85.dnsmgr.net (br1.CN84in.dnsmgr.net [69.59.192.140])
 (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 15FCD84CE3
 for <freebsd-net@freebsd.org>; Fri, 11 May 2018 15:43:35 +0000 (UTC)
 (envelope-from freebsd-rwg@pdx.rh.CN85.dnsmgr.net)
Received: from pdx.rh.CN85.dnsmgr.net (localhost [127.0.0.1])
 by pdx.rh.CN85.dnsmgr.net (8.13.3/8.13.3) with ESMTP id w4BFhXuA076072;
 Fri, 11 May 2018 08:43:33 -0700 (PDT)
 (envelope-from freebsd-rwg@pdx.rh.CN85.dnsmgr.net)
Received: (from freebsd-rwg@localhost)
 by pdx.rh.CN85.dnsmgr.net (8.13.3/8.13.3/Submit) id w4BFhXTS076071;
 Fri, 11 May 2018 08:43:33 -0700 (PDT) (envelope-from freebsd-rwg)
From: "Rodney W. Grimes" <freebsd-rwg@pdx.rh.CN85.dnsmgr.net>
Message-Id: <201805111543.w4BFhXTS076071@pdx.rh.CN85.dnsmgr.net>
Subject: Re: pf: Efficiently specifying discontinuous IPv6 ranges
In-Reply-To: <20180511162809.4b59ef02@almond.int.arc7.info>
To: Mark Raynsford <list+org.freebsd.net@io7m.com>
Date: Fri, 11 May 2018 08:43:33 -0700 (PDT)
CC: freebsd-net@freebsd.org
X-Mailer: ELM [version 2.4ME+ PL121h (25)]
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset=US-ASCII
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.25
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net/>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 11 May 2018 15:43:36 -0000

> Hello.
> 
> Let's say I have a host and I want to restrict access to that host to a
> discontinuous range of IPv6 addresses. For example, let's say I want to
> allow access to a host from addresses [2a00:1450:400c::,
> 2a00:1450:400c::1000], [2a04:4e42:600::200, 2a04:4e42:600::400], and
> individually 2001:1900:2254:206a::50:0, 2001:19f0:5:61d:f000::, and
> 2001:4998:58:1836::10.
> 
> I could try this:
> 
> good_0 = "2a00:1450:400c:: - 2a00:1450:400c::1000"
> good_1 = "2a04:4e42:600::200 - 2a04:4e42:600::400"
> good_2 = 2001:1900:2254:206a::50:0
> good_3 = 2001:19f0:5:61d:f000::
> good_4 = 2001:4998:58:1836::10
> 
> table <good_users> = { \
>   $good_0, \
>   $good_1, \
>   $good_2, \
>   $good_3, \
>   $good_4  \
> }
> 
> pass in from <good_users> to me ...
> 
> This, however, won't work because IPv6 address ranges are not allowed
> in tables.
> 
> I could try this:
> 
> good_0 = 2a00:1450:400c:: - 2a00:1450:400c::1000
> good_1 = 2a04:4e42:600::200 - 2a04:4e42:600::400
> good_2 = 2001:1900:2254:206a::50:0
> good_3 = 2001:19f0:5:61d:f000::
> good_4 = 2001:4998:58:1836::10
> 
> good_users = "{ \
>   $good_0, \
>   $good_1, \
>   $good_2, \
>   $good_3, \
>   $good_4  \
> }"
> 
> pass in from $good_users> to me ...
> 
> This won't work either, because macros can't be nested like that: The
> $good_0, $good_1 references won't be expanded.
> 
> I could perhaps insert all of the addresses into a persistent table
> one-by-one outside of the pf.conf file (with pfctl -T add), but I'm wary
> of doing this because the real range of addresses I want to allow would
> result in billions of addresses being inserted. That sounds like a bad
> idea.
> 
> I could also manually write one pf rule per address and range of
> addresses, but this would be painful and a serious maintenance burden.
> 
> Is there no way to specify a set of ranges and individual addresses
> without having to write one pf rule for each?

I am not sure what is processing the above syntax, but for /bin/sh
you would need to code this as:
#!/bin/sh
good_0="2a00:1450:400c::-2a00:1450:400c::1000"
good_1="2a04:4e42:600::200-2a04:4e42:600::400"
good_2="2001:1900:2254:206a::50:0"
good_3="2001:19f0:5:61d:f000::"
good_4="2001:4998:58:1836::10"

echo ${good_0}
echo ${good_1}
echo ${good_2}
echo ${good_3}

good_users="${good_0},${good_1},${good_2},${good_3},${good_4}"

echo ${good_users}

To stop nasties like spaces around -'s being token seperators,
same for ,'s when you try to glue good_X togeather, as that
well end up as 4 seperate tokens, which pf may not like.

I see now pf has its own processor, and says it does not
expand macros inside quotes, so perhaps one needs to write

good_users=${good_0},${good_1},${good_2},${good_3},${good_4}

to get the desired effect?
It probably also does not like me sh syntax of ${VARAIBE},
over $VARAIBLE.

Sad it doesnt to use an already well established
standard syntax for these types of things.

> -- 
> Mark Raynsford | http://www.io7m.com

-- 
Rod Grimes                                                 rgrimes@freebsd.org