Date: Tue, 30 Jan 2007 20:18:20 +0100 From: Erik Norgaard <norgaard@locolomo.org> To: Erik Norgaard <norgaard@locolomo.org> Cc: FreeBSD Questions <questions@freebsd.org> Subject: Re: Negation in tables for packet filter Message-ID: <45BF99FC.3080002@locolomo.org> In-Reply-To: <45BCAC1F.80701@locolomo.org> References: <45BCAC1F.80701@locolomo.org>
next in thread | previous in thread | raw e-mail | index | archive | help
This is a cryptographically signed message in MIME format.
--------------ms060706060904080807060907
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
I got this response off-list:
Lowell Gilbert wrote:
> Erik Norgaard <norgaard@locolomo.org> writes:
>
>> table <internet> const { !0/8 !10/8 !127/8 !169.254/16 !172.16/12 \
>> !192.0.2/24 !192.168/16 !198.18/15 !224/4 !240/4 }
>
> Think about it; this matches *everything*. All possible packets are
> in either !10/8 or !127/8. etc.
This is clear if tables are a simple or'ing of the entries, but the
documentation is somewhat confusing, they give this example
(http://www.openbsd.org/faq/pf/tables.html):
<quote>
table <goodguys> { 172.16.0.0/16, !172.16.1.0/24, 172.16.1.100 }
block in on dc0 all
pass in on dc0 from <goodguys> to any
* 172.16.50.5 - narrowest match is 172.16.0.0/16; packet matches the
table and will be passed
* 172.16.1.25 - narrowest match is !172.16.1.0/24; packet matches an
entry in the table but that entry is negated (uses the "!" modifier);
packet does not match the table and will be blocked
* 172.16.1.100 - exactly matches 172.16.1.100; packet matches the
table and will be passed
* 10.1.4.55 - does not match the table and will be blocked
</quote>
so maybe I should add 0/0 to the above list?
Thanks, Erik
--
Ph: +34.666334818 web: http://www.locolomo.org
--------------ms060706060904080807060907
Content-Type: application/x-pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
Content-Description: S/MIME Cryptographic Signature
MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIK6DCC
BXAwggRYoAMCAQICBEVUK6IwDQYJKoZIhvcNAQEFBQAwMTELMAkGA1UEBhMCREsxDDAKBgNV
BAoTA1REQzEUMBIGA1UEAxMLVERDIE9DRVMgQ0EwHhcNMDYxMTE1MDgzMTU0WhcNMDgxMTE1
MDkwMTU0WjB1MQswCQYDVQQGEwJESzEpMCcGA1UEChMgSW5nZW4gb3JnYW5pc2F0b3Jpc2sg
dGlsa255dG5pbmcxOzAUBgNVBAMUDUVyaWsgTvhyZ2FhcmQwIwYDVQQFExxQSUQ6OTgwMi0y
MDAyLTItNTQ0MzY5NzY5MzE1MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC1/K6+GVcF
UvoWJpyfhzWbu8qEOB8jU17A0dpmts7RT+ODkYq0lxJCcvvdSXNQQurvYwaPISA+EMRy+rIm
rjhoyxhsM9w/XC7gELqkr1XbGt3wR0KLr5ZcRfD4HqrWM1Eh1OYxTXKod6Ox/FAqzDAy91x8
XCZzsHtiBCdgMSYxqwIDAQABo4ICzjCCAsowDgYDVR0PAQH/BAQDAgP4MCsGA1UdEAQkMCKA
DzIwMDYxMTE1MDgzMTU0WoEPMjAwODExMTUwOTAxNTRaMIIBNwYDVR0gBIIBLjCCASowggEm
BgoqgVCBKQEBAQEDMIIBFjAvBggrBgEFBQcCARYjaHR0cDovL3d3dy5jZXJ0aWZpa2F0LmRr
L3JlcG9zaXRvcnkwgeIGCCsGAQUFBwICMIHVMAoWA1REQzADAgEBGoHGRm9yIGFudmVuZGVs
c2UgYWYgY2VydGlmaWthdGV0IGfmbGRlciBPQ0VTIHZpbGvlciwgQ1BTIG9nIE9DRVMgQ1As
IGRlciBrYW4gaGVudGVzIGZyYSB3d3cuY2VydGlmaWthdC5kay9yZXBvc2l0b3J5LiBCZW3m
cmssIGF0IFREQyBlZnRlciB2aWxr5XJlbmUgaGFyIGV0IGJlZ3LmbnNldCBhbnN2YXIgaWZ0
LiBwcm9mZXNzaW9uZWxsZSBwYXJ0ZXIuMEEGCCsGAQUFBwEBBDUwMzAxBggrBgEFBQcwAYYl
aHR0cDovL29jc3AuY2VydGlmaWthdC5kay9vY3NwL3N0YXR1czAgBgNVHREEGTAXgRVub3Jn
YWFyZEBsb2NvbG9tby5vcmcwgYQGA1UdHwR9MHswS6BJoEekRTBDMQswCQYDVQQGEwJESzEM
MAoGA1UEChMDVERDMRQwEgYDVQQDEwtUREMgT0NFUyBDQTEQMA4GA1UEAxMHQ1JMMTU1NzAs
oCqgKIYmaHR0cDovL2NybC5vY2VzLmNlcnRpZmlrYXQuZGsvb2Nlcy5jcmwwHwYDVR0jBBgw
FoAUYLWF7FZkfhIZJ2cdUBVLc647+RIwHQYDVR0OBBYEFPd+a0ceJ9JmK934UXsB3G0mjv+f
MAkGA1UdEwQCMAAwGQYJKoZIhvZ9B0EABAwwChsEVjcuMQMCA6gwDQYJKoZIhvcNAQEFBQAD
ggEBAE9KhX+l/ZcnhvGPhHyWnJspyCXSiuqZ+GlgMdcKXtlu8kXsqNzfDe9qSs93++zJS+HT
vAW0QgyIxjY1VpgCqgyjU8e2d2D1eSRMDB09WViZk8oZkvOy0Mq3yy//CLSw3gQbXNZF+Yt+
htss+FD+idACVyRBQqlcHuaxjguyzZkK0fGBN5H5nsklDySQCU7X0i3egeIiL7zlV3cjp9KT
12tNG4jfQTaSUzBkz0R+x+Jcdyp6AI9Qg3H1iGDDI58aCTY5ohQBpDsUcLr6U842IACNCeub
qDP6nDo5lnMEXwGH/RO8r4supCf5wrNRjqEX/vokUzB5QfDGtmxxZkycaaQwggVwMIIEWKAD
AgECAgRFVCuiMA0GCSqGSIb3DQEBBQUAMDExCzAJBgNVBAYTAkRLMQwwCgYDVQQKEwNUREMx
FDASBgNVBAMTC1REQyBPQ0VTIENBMB4XDTA2MTExNTA4MzE1NFoXDTA4MTExNTA5MDE1NFow
dTELMAkGA1UEBhMCREsxKTAnBgNVBAoTIEluZ2VuIG9yZ2FuaXNhdG9yaXNrIHRpbGtueXRu
aW5nMTswFAYDVQQDFA1FcmlrIE74cmdhYXJkMCMGA1UEBRMcUElEOjk4MDItMjAwMi0yLTU0
NDM2OTc2OTMxNTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAtfyuvhlXBVL6Fiacn4c1
m7vKhDgfI1NewNHaZrbO0U/jg5GKtJcSQnL73UlzUELq72MGjyEgPhDEcvqyJq44aMsYbDPc
P1wu4BC6pK9V2xrd8EdCi6+WXEXw+B6q1jNRIdTmMU1yqHejsfxQKswwMvdcfFwmc7B7YgQn
YDEmMasCAwEAAaOCAs4wggLKMA4GA1UdDwEB/wQEAwID+DArBgNVHRAEJDAigA8yMDA2MTEx
NTA4MzE1NFqBDzIwMDgxMTE1MDkwMTU0WjCCATcGA1UdIASCAS4wggEqMIIBJgYKKoFQgSkB
AQEBAzCCARYwLwYIKwYBBQUHAgEWI2h0dHA6Ly93d3cuY2VydGlmaWthdC5kay9yZXBvc2l0
b3J5MIHiBggrBgEFBQcCAjCB1TAKFgNUREMwAwIBARqBxkZvciBhbnZlbmRlbHNlIGFmIGNl
cnRpZmlrYXRldCBn5mxkZXIgT0NFUyB2aWxr5XIsIENQUyBvZyBPQ0VTIENQLCBkZXIga2Fu
IGhlbnRlcyBmcmEgd3d3LmNlcnRpZmlrYXQuZGsvcmVwb3NpdG9yeS4gQmVt5nJrLCBhdCBU
REMgZWZ0ZXIgdmlsa+VyZW5lIGhhciBldCBiZWdy5m5zZXQgYW5zdmFyIGlmdC4gcHJvZmVz
c2lvbmVsbGUgcGFydGVyLjBBBggrBgEFBQcBAQQ1MDMwMQYIKwYBBQUHMAGGJWh0dHA6Ly9v
Y3NwLmNlcnRpZmlrYXQuZGsvb2NzcC9zdGF0dXMwIAYDVR0RBBkwF4EVbm9yZ2FhcmRAbG9j
b2xvbW8ub3JnMIGEBgNVHR8EfTB7MEugSaBHpEUwQzELMAkGA1UEBhMCREsxDDAKBgNVBAoT
A1REQzEUMBIGA1UEAxMLVERDIE9DRVMgQ0ExEDAOBgNVBAMTB0NSTDE1NTcwLKAqoCiGJmh0
dHA6Ly9jcmwub2Nlcy5jZXJ0aWZpa2F0LmRrL29jZXMuY3JsMB8GA1UdIwQYMBaAFGC1hexW
ZH4SGSdnHVAVS3OuO/kSMB0GA1UdDgQWBBT3fmtHHifSZivd+FF7AdxtJo7/nzAJBgNVHRME
AjAAMBkGCSqGSIb2fQdBAAQMMAobBFY3LjEDAgOoMA0GCSqGSIb3DQEBBQUAA4IBAQBPSoV/
pf2XJ4bxj4R8lpybKcgl0orqmfhpYDHXCl7ZbvJF7Kjc3w3vakrPd/vsyUvh07wFtEIMiMY2
NVaYAqoMo1PHtndg9XkkTAwdPVlYmZPKGZLzstDKt8sv/wi0sN4EG1zWRfmLfobbLPhQ/onQ
AlckQUKpXB7msY4Lss2ZCtHxgTeR+Z7JJQ8kkAlO19It3oHiIi+85Vd3I6fSk9drTRuI30E2
klMwZM9EfsfiXHcqegCPUINx9YhgwyOfGgk2OaIUAaQ7FHC6+lPONiAAjQnrm6gz+pw6OZZz
BF8Bh/0TvK+LLqQn+cKzUY6hF/76JFMweUHwxrZscWZMnGmkMYICKjCCAiYCAQEwOTAxMQsw
CQYDVQQGEwJESzEMMAoGA1UEChMDVERDMRQwEgYDVQQDEwtUREMgT0NFUyBDQQIERVQrojAJ
BgUrDgMCGgUAoIIBRzAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEP
Fw0wNzAxMzAxOTE4MjBaMCMGCSqGSIb3DQEJBDEWBBR/goiSv3VK3JqyolxfgibjI0SD5TBI
BgkrBgEEAYI3EAQxOzA5MDExCzAJBgNVBAYTAkRLMQwwCgYDVQQKEwNUREMxFDASBgNVBAMT
C1REQyBPQ0VTIENBAgRFVCuiMEoGCyqGSIb3DQEJEAILMTugOTAxMQswCQYDVQQGEwJESzEM
MAoGA1UEChMDVERDMRQwEgYDVQQDEwtUREMgT0NFUyBDQQIERVQrojBSBgkqhkiG9w0BCQ8x
RTBDMAoGCCqGSIb3DQMHMA4GCCqGSIb3DQMCAgIAgDANBggqhkiG9w0DAgIBQDAHBgUrDgMC
BzANBggqhkiG9w0DAgIBKDANBgkqhkiG9w0BAQEFAASBgFTMfWFe8yLpLRNjnZzqLeEk+KqD
Uf3Ud/GVcPHGcGYsSYydcuvLsF9kg5fgTqZVRwGQbdBv4rFqNRGDAe9x7iUylocKeuHsALZw
HR6m4C9OYez+vYDKwDSheu4cAtg3dTfI6KIJEf1cgFqlgn7YHeD4pI3W034HbYgUEev8nw7q
AAAAAAAA
--------------ms060706060904080807060907--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?45BF99FC.3080002>