Date: Thu, 13 Jul 2006 21:54:04 +0300 (EEST) From: Dmitry Pryanishnikov <dmitry@atlantis.dp.ua> To: Brian Candler <B.Candler@pobox.com> Cc: freebsd-net@freebsd.org, Ensel Sharon <user@dhp.com> Subject: Re: counting (not) blocks of IPs in ipfw - please help Message-ID: <20060713214311.T73434@atlantis.atlantis.dp.ua> In-Reply-To: <20060712083020.GA2607@uk.tiscali.com> References: <Pine.LNX.4.21.0607101838530.12027-100000@shell.dhp.com> <20060712083020.GA2607@uk.tiscali.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Hello!
On Wed, 12 Jul 2006, Brian Candler wrote:
> Firstly, "from any XXX" is giving two different 'from' items. I guess you
> meant "from not { 10.20.0.0/16 or 10.30.0.0/16 }". But that doesn't work
> either:
>
> # ipfw add 00100 count ip from not { 10.20.0.0/16 or 10.30.0.0/16 } to any
> via fxp0 in
> ipfw: hostname ``{'' unknown
>
> ...
> The obvious boolean transformation doesn't work, since "and" is not allowed
> either: i.e.
>
> # ipfw add 00100 count ip from { not 10.20.0.0/16 and not 10.30.0.0/16 } to
> any via fxp0 in
> ipfw: missing ")"
Correct, there is no 'and' keyword in ipfw syntax, since it's redundant:
a simple ',' in address list means 'and'. So this can be written as:
ipfw add 100 count ip from not 10.20.0.0/16,10.30.0.0/16 to any via fxp0 in
since 'not' in the src and dst definitions refers to the whole list:
addr: [not] {any | me | me6 table(number[,value]) | addr-list | addr-set}
(an '|' is missing between 'me6' and 'table...' here, isn't it?)
Sincerely, Dmitry
--
Atlantis ISP, System Administrator
e-mail: dmitry@atlantis.dp.ua
nic-hdl: LYNX-RIPE
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20060713214311.T73434>