Hi,
Patrick Tracanelli wrote:
Hello ipfw developers,
Would it be hard to make ipfw processing "and" blocks, just like "or"
blocks? I mean, in the following situation:
ipfw add deny log tcp from { not 10.10.10.10/32 or not 10.10.10.20/32
} to any dst-port 22 out via fxp0 setup keep-state
On my understanding, this rule will *always* match, because the OR
block makes the source always be true, because it *won't* be a orign
OR won't the other be. What if we could have:
ipfw add deny log tcp from { not 10.10.10.10/32 and not 10.10.10.20/32
} to any dst-port 22 out via fxp0 setup keep-state
?
I have a set of patches that I am playing with that allow the negation
of an entire or block i.e.:
ipfw add deny log tcp from not { 1.1.1.1 or 2.2.2.2 } to any
So far my tests are good, and I can use this syntax anywhere an or-block
can be implemented.
One more thing, I have just noticed that tables do not accept the "me"
expression. Any chance to have ipfw deal with "me" in a table?
Looking at the code this is really not as easy as it sounds. You are
probably better off using something like
ipfw count ip from { table(1) or me } to any
in such situations.
Also I have noticed that it is not possible to add the 255.255.255.255
address to a table either.
I might mae these patches available at some point, time permiting.
Patrick.
_______________________________________________
[email protected] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
