Date: Thu, 24 Nov 2005 23:00:50 +0100 From: Patrick Bihan-Faou <patrick.bihan-faou@netzuno.com> To: ipfw@freebsd.org Subject: Re: Features enhacement: AND-block and "me" expression on a table... Message-ID: <43863812.2040602@netzuno.com> In-Reply-To: <43833270.8060502@freebsdbrasil.com.br> References: <43833270.8060502@freebsdbrasil.com.br>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi,
Patrick Tracanelli wrote:
>
> Hello ipfw developers,
>
> Would it be hard to make ipfw processing "and" blocks, just like "or"
> blocks? I mean, in the following situation:
>
> ipfw add deny log tcp from { not 10.10.10.10/32 or not 10.10.10.20/32
> } to any dst-port 22 out via fxp0 setup keep-state
>
> On my understanding, this rule will *always* match, because the OR
> block makes the source always be true, because it *won't* be a orign
> OR won't the other be. What if we could have:
>
> ipfw add deny log tcp from { not 10.10.10.10/32 and not 10.10.10.20/32
> } to any dst-port 22 out via fxp0 setup keep-state
>
> ?
>
I have a set of patches that I am playing with that allow the negation
of an entire or block i.e.:
ipfw add deny log tcp from not { 1.1.1.1 or 2.2.2.2 } to any
So far my tests are good, and I can use this syntax anywhere an or-block
can be implemented.
> One more thing, I have just noticed that tables do not accept the "me"
> expression. Any chance to have ipfw deal with "me" in a table?
>
Looking at the code this is really not as easy as it sounds. You are
probably better off using something like
ipfw count ip from { table(1) or me } to any
in such situations.
Also I have noticed that it is not possible to add the 255.255.255.255
address to a table either.
I might mae these patches available at some point, time permiting.
Patrick.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?43863812.2040602>