Date: Tue, 30 Jan 2007 20:18:20 +0100 From: Erik Norgaard <norgaard@locolomo.org> To: Erik Norgaard <norgaard@locolomo.org> Cc: FreeBSD Questions <questions@freebsd.org> Subject: Re: Negation in tables for packet filter Message-ID: <45BF99FC.3080002@locolomo.org> In-Reply-To: <45BCAC1F.80701@locolomo.org> References: <45BCAC1F.80701@locolomo.org>
index | next in thread | previous in thread | raw e-mail
[-- Attachment #1 --]
I got this response off-list:
Lowell Gilbert wrote:
> Erik Norgaard <norgaard@locolomo.org> writes:
>
>> table <internet> const { !0/8 !10/8 !127/8 !169.254/16 !172.16/12 \
>> !192.0.2/24 !192.168/16 !198.18/15 !224/4 !240/4 }
>
> Think about it; this matches *everything*. All possible packets are
> in either !10/8 or !127/8. etc.
This is clear if tables are a simple or'ing of the entries, but the
documentation is somewhat confusing, they give this example
(http://www.openbsd.org/faq/pf/tables.html):
<quote>
table <goodguys> { 172.16.0.0/16, !172.16.1.0/24, 172.16.1.100 }
block in on dc0 all
pass in on dc0 from <goodguys> to any
* 172.16.50.5 - narrowest match is 172.16.0.0/16; packet matches the
table and will be passed
* 172.16.1.25 - narrowest match is !172.16.1.0/24; packet matches an
entry in the table but that entry is negated (uses the "!" modifier);
packet does not match the table and will be blocked
* 172.16.1.100 - exactly matches 172.16.1.100; packet matches the
table and will be passed
* 10.1.4.55 - does not match the table and will be blocked
</quote>
so maybe I should add 0/0 to the above list?
Thanks, Erik
--
Ph: +34.666334818 web: http://www.locolomo.org
[-- Attachment #2 --]
0 *H
01
0 +�0 *H
��
0p0XET+0
*H
�011
0 UDK1
0
U
TDC10U
TDC OCES CA0
061115083154Z
081115090154Z0u1
0 UDK1)0'U
Ingen organisatorisk tilknytning1;0U
Erik Nrgaard0#U
PID:9802-2002-2-54436976931500
*H
��0�WR&5ʄ8 #S^fOパBrIsPBc! >r&8hl3?\.UGB\E
3Q!1MrwP*02\|\&s{b'`1&1�00U
0+U
$0"20061115083154Z20081115090154Z07U
.0*0&
*P)00/+#http://www.certifikat.dk/repository0+00
TDC0For anvendelse af certifikatet glder OCES vilkr, CPS og OCES CP, der kan hentes fra www.certifikat.dk/repository. Bemrk, at TDC efter vilkrene har et begrnset ansvar ift. professionelle parter.0A+50301+0%http://ocsp.certifikat.dk/ocsp/status0 U
0norgaard@locolomo.org0U
}0{0KIGE0C1
0 UDK1
0
U
TDC10U
TDC OCES CA10UCRL15570,*(&http://crl.oces.certifikat.dk/oces.crl0 U
#0`Vd~'g
PKs;0
U
~kG
'f+Q{m&0 U
0�0 *H}A�
0
V7.10
*H
��OJ'|)%Ҋi`1
^nE
jJwKӼB
65V
SǶw`y$L
=YXʷ/\E~,PW$AB\
汎
͙
7%$ N-ށ"/Ww#ғkMA6S0dD~\w*z�Pq`# 69;pS6 � 뛨3:9s_.'³Q$S0yAƶlqfLi0p0XET+0
*H
�011
0 UDK1
0
U
TDC10U
TDC OCES CA0
061115083154Z
081115090154Z0u1
0 UDK1)0'U
Ingen organisatorisk tilknytning1;0U
Erik Nrgaard0#U
PID:9802-2002-2-54436976931500
*H
��0�WR&5ʄ8 #S^fOパBrIsPBc! >r&8hl3?\.UGB\E
3Q!1MrwP*02\|\&s{b'`1&1�00U
0+U
$0"20061115083154Z20081115090154Z07U
.0*0&
*P)00/+#http://www.certifikat.dk/repository0+00
TDC0For anvendelse af certifikatet glder OCES vilkr, CPS og OCES CP, der kan hentes fra www.certifikat.dk/repository. Bemrk, at TDC efter vilkrene har et begrnset ansvar ift. professionelle parter.0A+50301+0%http://ocsp.certifikat.dk/ocsp/status0 U
0norgaard@locolomo.org0U
}0{0KIGE0C1
0 UDK1
0
U
TDC10U
TDC OCES CA10UCRL15570,*(&http://crl.oces.certifikat.dk/oces.crl0 U
#0`Vd~'g
PKs;0
U
~kG
'f+Q{m&0 U
0�0 *H}A�
0
V7.10
*H
��OJ'|)%Ҋi`1
^nE
jJwKӼB
65V
SǶw`y$L
=YXʷ/\E~,PW$AB\
汎
͙
7%$ N-ށ"/Ww#ғkMA6S0dD~\w*z�Pq`# 69;pS6 � 뛨3:9s_.'³Q$S0yAƶlqfLi1*0&09011
0 UDK1
0
U
TDC10U
TDC OCES CAET+0 +�G0 *H
1
*H
0
*H
1
070130191820Z0# *H
1uJܚ\_&#D0H +71;09011
0 UDK1
0
U
TDC10U
TDC OCES CAET+0J
*H
1;9011
0 UDK1
0
U
TDC10U
TDC OCES CAET+0R *H
1E0C0
*H
0*H
�0
*H
@0+0
*H
(0
*H
�T}a^"-c-$Qwppf,Ir˰_dNUGmoj5q%2
z�p
/Na4z
7u7 \Z~
~m������
help
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?45BF99FC.3080002>