From owner-freebsd-ipfw@FreeBSD.ORG  Tue Nov 22 15:00:33 2005
Return-Path: <owner-freebsd-ipfw@FreeBSD.ORG>
X-Original-To: ipfw@freebsd.org
Delivered-To: freebsd-ipfw@FreeBSD.ORG
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id E41DA16A47C
	for <ipfw@freebsd.org>; Tue, 22 Nov 2005 15:00:33 +0000 (GMT)
	(envelope-from eksffa@freebsdbrasil.com.br)
Received: from capeta.freebsdbrasil.com.br (vrrp.freebsdbrasil.com.br
	[200.210.70.30]) by mx1.FreeBSD.org (Postfix) with SMTP id 723A443DA8
	for <ipfw@freebsd.org>; Tue, 22 Nov 2005 15:00:19 +0000 (GMT)
	(envelope-from eksffa@freebsdbrasil.com.br)
Received: (qmail 86994 invoked by uid 0); 22 Nov 2005 13:00:12 -0200
Received: from eksffa@freebsdbrasil.com.br by capeta.freebsdbrasil.com.br by
	uid 82 with qmail-scanner-1.22 
	(uvscan: v4.3.20/v4633. spamassassin: 2.64.
	Clear:RC:1(201.17.173.115):. 
	Processed in 0.462423 secs); 22 Nov 2005 15:00:12 -0000
Received: from unknown (HELO ?10.69.69.69?) (201.17.173.115)
	by capeta.freebsdbrasil.com.br with SMTP; 22 Nov 2005 13:00:11 -0200
Message-ID: <43833270.8060502@freebsdbrasil.com.br>
Date: Tue, 22 Nov 2005 13:00:00 -0200
From: Patrick Tracanelli <eksffa@freebsdbrasil.com.br>
Organization: FreeBSD Brasil LTDA
User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.7.7) Gecko/20050420
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: ipfw@freebsd.org
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
Cc: 
Subject: Features enhacement: AND-block and "me" expression on a table...
X-BeenThere: freebsd-ipfw@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: IPFW Technical Discussions <freebsd-ipfw.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
	<mailto:freebsd-ipfw-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ipfw>
List-Post: <mailto:freebsd-ipfw@freebsd.org>
List-Help: <mailto:freebsd-ipfw-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
	<mailto:freebsd-ipfw-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 22 Nov 2005 15:00:34 -0000


Hello ipfw developers,

Would it be hard to make ipfw processing "and" blocks, just like "or" 
blocks? I mean, in the following situation:

ipfw add deny log tcp from { not 10.10.10.10/32 or not 10.10.10.20/32 } 
to any dst-port 22 out via fxp0 setup keep-state

On my understanding, this rule will *always* match, because the OR block 
makes the source always be true, because it *won't* be a orign OR won't 
the other be. What if we could have:

ipfw add deny log tcp from { not 10.10.10.10/32 and not 10.10.10.20/32 } 
to any dst-port 22 out via fxp0 setup keep-state

?

One more thing, I have just noticed that tables do not accept the "me" 
expression. Any chance to have ipfw deal with "me" in a table?

Also, dummynet does not evaluate table well. Only the first address is 
matched against a dummynet rule. It would be great if tables could be 
used with dummynet and all the mask specifiers...

Those are only some thoughts... =)

-- 
Patrick Tracanelli