Date: Wed, 12 Jul 2006 09:30:20 +0100 From: Brian Candler <B.Candler@pobox.com> To: Ensel Sharon <user@dhp.com> Cc: freebsd-net@freebsd.org Subject: Re: counting (not) blocks of IPs in ipfw - please help Message-ID: <20060712083020.GA2607@uk.tiscali.com> In-Reply-To: <Pine.LNX.4.21.0607101838530.12027-100000@shell.dhp.com> References: <Pine.LNX.4.21.0607101838530.12027-100000@shell.dhp.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Jul 10, 2006 at 06:40:50PM -0400, Ensel Sharon wrote:
> I can't seem to get ipfw to handle a rule like this:
>
>
> ipfw add 00100 count ip from any not { 10.20.0.0/16 or 10.30.0.0/16 } to
> any via em0 in
>
> The error is:
>
> ipfw: missing ``to''
> ipfw: unrecognised option [-1] 10.20.0.0/16
Firstly, "from any XXX" is giving two different 'from' items. I guess you
meant "from not { 10.20.0.0/16 or 10.30.0.0/16 }". But that doesn't work
either:
# ipfw add 00100 count ip from not { 10.20.0.0/16 or 10.30.0.0/16 } to any via fxp0 in
ipfw: hostname ``{'' unknown
According to the manpage, that syntax is not allowed. Notice:
[proto from src to dst] [options]
...
src and dst: {addr | { addr or ... }} [[not] ports]
...
addr: [not] {any | me | me6 table(number[,value]) | addr-list | addr-set}
i.e. "not { x or y }" is not a valid 'src'
The obvious boolean transformation doesn't work, since "and" is not allowed
either: i.e.
# ipfw add 00100 count ip from { not 10.20.0.0/16 and not 10.30.0.0/16 } to any via fxp0 in
ipfw: missing ")"
I think you need to use a table. Or choose another workaround, e.g. two
rules with separate counters, or two rules which jump to another rule which
does the counting.
Regards,
Brian.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20060712083020.GA2607>