Date: Wed, 12 Jul 2006 09:30:20 +0100 From: Brian Candler <B.Candler@pobox.com> To: Ensel Sharon <user@dhp.com> Cc: freebsd-net@freebsd.org Subject: Re: counting (not) blocks of IPs in ipfw - please help Message-ID: <20060712083020.GA2607@uk.tiscali.com> In-Reply-To: <Pine.LNX.4.21.0607101838530.12027-100000@shell.dhp.com>
index | next in thread | previous in thread | raw e-mail
On Mon, Jul 10, 2006 at 06:40:50PM -0400, Ensel Sharon wrote:
> I can't seem to get ipfw to handle a rule like this:
>
>
> ipfw add 00100 count ip from any not { 10.20.0.0/16 or 10.30.0.0/16 } to
> any via em0 in
>
> The error is:
>
> ipfw: missing ``to''
> ipfw: unrecognised option [-1] 10.20.0.0/16
Firstly, "from any XXX" is giving two different 'from' items. I guess you
meant "from not { 10.20.0.0/16 or 10.30.0.0/16 }". But that doesn't work
either:
# ipfw add 00100 count ip from not { 10.20.0.0/16 or 10.30.0.0/16 } to any via fxp0 in
ipfw: hostname ``{'' unknown
According to the manpage, that syntax is not allowed. Notice:
[proto from src to dst] [options]
...
src and dst: {addr | { addr or ... }} [[not] ports]
...
addr: [not] {any | me | me6 table(number[,value]) | addr-list | addr-set}
i.e. "not { x or y }" is not a valid 'src'
The obvious boolean transformation doesn't work, since "and" is not allowed
either: i.e.
# ipfw add 00100 count ip from { not 10.20.0.0/16 and not 10.30.0.0/16 } to any via fxp0 in
ipfw: missing ")"
I think you need to use a table. Or choose another workaround, e.g. two
rules with separate counters, or two rules which jump to another rule which
does the counting.
Regards,
Brian.
home |
help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20060712083020.GA2607>