From owner-freebsd-ipfw@FreeBSD.ORG Thu Nov 24 23:14:02 2005 Return-Path: X-Original-To: ipfw@freebsd.org Delivered-To: freebsd-ipfw@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4816F16A960 for ; Thu, 24 Nov 2005 23:14:00 +0000 (GMT) (envelope-from patrick.bihan-faou@netzuno.com) Received: from zeweb.mindstep.com (zeweb.mindstep.com [209.161.205.10]) by mx1.FreeBSD.org (Postfix) with ESMTP id E5F3843F52 for ; Thu, 24 Nov 2005 22:00:59 +0000 (GMT) (envelope-from patrick.bihan-faou@netzuno.com) Received: from localhost (localhost.local.mindstep.com [127.0.0.1]) by hottub.local.mindstep.com (Postfix) with ESMTP id 988295F75 for ; Thu, 24 Nov 2005 17:00:58 -0500 (EST) (envelope-from patrick.bihan-faou@netzuno.com) Received: from hottub.local.mindstep.com ([127.0.0.1]) by localhost (hottub.local.mindstep.com [127.0.0.1]) (amavisd-new, port port 10024) with LMTP id 88559-02-4 for ; Thu, 24 Nov 2005 17:00:58 -0500 (EST) Received: from [192.168.50.146] (d80-170-92-212.cust.tele2.fr [80.170.92.212]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by hottub.local.mindstep.com (Postfix) with ESMTP id 297285F76 for ; Thu, 24 Nov 2005 17:00:57 -0500 (EST) (envelope-from patrick.bihan-faou@netzuno.com) Message-ID: <43863812.2040602@netzuno.com> Date: Thu, 24 Nov 2005 23:00:50 +0100 From: Patrick Bihan-Faou Organization: netZuno Technologies User-Agent: Thunderbird 1.4.1 (Windows/20051006) MIME-Version: 1.0 To: ipfw@freebsd.org References: <43833270.8060502@freebsdbrasil.com.br> In-Reply-To: <43833270.8060502@freebsdbrasil.com.br> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: by amavisd-new on ZunoBox at hottub.local.mindstep.com X-Spam-Checker-Version: SpamAssassin 2.64 (2004-01-11) on hottub.local.mindstep.com Cc: Subject: Re: Features enhacement: AND-block and "me" expression on a table... X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 24 Nov 2005 23:14:02 -0000 Hi, Patrick Tracanelli wrote: > > Hello ipfw developers, > > Would it be hard to make ipfw processing "and" blocks, just like "or" > blocks? I mean, in the following situation: > > ipfw add deny log tcp from { not 10.10.10.10/32 or not 10.10.10.20/32 > } to any dst-port 22 out via fxp0 setup keep-state > > On my understanding, this rule will *always* match, because the OR > block makes the source always be true, because it *won't* be a orign > OR won't the other be. What if we could have: > > ipfw add deny log tcp from { not 10.10.10.10/32 and not 10.10.10.20/32 > } to any dst-port 22 out via fxp0 setup keep-state > > ? > I have a set of patches that I am playing with that allow the negation of an entire or block i.e.: ipfw add deny log tcp from not { 1.1.1.1 or 2.2.2.2 } to any So far my tests are good, and I can use this syntax anywhere an or-block can be implemented. > One more thing, I have just noticed that tables do not accept the "me" > expression. Any chance to have ipfw deal with "me" in a table? > Looking at the code this is really not as easy as it sounds. You are probably better off using something like ipfw count ip from { table(1) or me } to any in such situations. Also I have noticed that it is not possible to add the 255.255.255.255 address to a table either. I might mae these patches available at some point, time permiting. Patrick.