From owner-freebsd-stable Sun Sep 1 12:20:48 2002 Delivered-To: freebsd-stable@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id F12CE37B400; Sun, 1 Sep 2002 12:20:43 -0700 (PDT) Received: from peak.mountin.net (peak.mountin.net [207.227.119.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3DE5D43E6A; Sun, 1 Sep 2002 12:20:43 -0700 (PDT) (envelope-from jeff-ml@mountin.net) Received: (from daemon@localhost) by peak.mountin.net (8.9.1/8.9.1) id OAA09719; Sun, 1 Sep 2002 14:20:42 -0500 (CDT) (envelope-from jeff-ml@mountin.net) Received: from mke-24-167-197-76.wi.rr.com(24.167.197.76) by peak.mountin.net via smap (V1.3) id sma009647; Sun Sep 1 14:20:11 2002 Message-Id: <4.3.2.20020901130809.02182210@207.227.119.2> X-Sender: jeff-ml@207.227.119.2 X-Mailer: QUALCOMM Windows Eudora Version 4.3 Date: Sun, 01 Sep 2002 14:19:30 -0500 To: Luigi Rizzo From: "Jeffrey J. Mountin" Subject: Re: IPFW2 option in -stable kernel config Cc: Kenneth W Cochran , freebsd-stable@FreeBSD.ORG In-Reply-To: <20020831191318.A71479@iguana.icir.org> References: <4.3.2.20020831183206.00dd5580@207.227.119.2> <4.3.2.20020831112817.00e57e30@207.227.119.2> <200208311312.JAA118809063@shell.TheWorld.com> <4.3.2.20020831112817.00e57e30@207.227.119.2> <20020831150538.A69952@iguana.icir.org> <4.3.2.20020831183206.00dd5580@207.227.119.2> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG At 07:13 PM 8/31/02 -0700, Luigi Rizzo wrote: >On Sat, Aug 31, 2002 at 06:49:48PM -0500, Jeffrey J. Mountin wrote: >... > > >ranges are limited to /24 or larger masks (partly to simplify parsing, > >for larger i meant /25 ... /32 i.e. smaller sets Easy to interpret either way. ;) > > So how does it work with something larger than a /24? In my last > message I > > used: > > > > ... ip from 1.2.36.0/22{36.1,37.2,38.3,39.4} to ... > > > > Is this correct? > > > > And if what I gather from your reply then one could do: > > > > ... ip from 0.0.0.0/0{1.2.3.4,2.3.4.5,3.4.5.6} to ... > > > > Or is that asking too much? 8-) > >you _can_ write it as { 1.2.3.4 or 2.3.4.5 or 3.4.5.6 } >but of course it is going to check all addresses sequentially. Walked into that, but it's a potentially useful option to condense rulesets. Same with the former option were only it supported. Then it is as well by doing: { 1.2.36.1 or 1.2.37.2 or 1.2.38.3 or 1.2.39.4 } It does make sense that only /24 - /32 masks, just the other way is shorter. Not sure how many could use this and as you say it does add overhead with a larger bitmap. > > So for now it can only be a comma separated list and only port values can > > use ranges. Right? > >yes. Port values and MAC types and (i think) some icmp options, same as ipfw1 Last question I can think of for syntax is the allowance of whitespace (tab|space) inside the curly braces. Are they allowed when using the 1.2.3.4{5,10,20} notation? For longer lists it might help clarity. Your examples and the man page suggest not. Jeff Mountin - jeff@mountin.net Systems/Network Administrator FreeBSD - the power to serve To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message