Hello. Let's say I have a host and I want to restrict access to that host to a discontinuous range of IPv6 addresses. For example, let's say I want to allow access to a host from addresses [2a00:1450:400c::, 2a00:1450:400c::1000], [2a04:4e42:600::200, 2a04:4e42:600::400], and individually 2001:1900:2254:206a::50:0, 2001:19f0:5:61d:f000::, and 2001:4998:58:1836::10.
I could try this:
good_0 = "2a00:1450:400c:: - 2a00:1450:400c::1000"
good_1 = "2a04:4e42:600::200 - 2a04:4e42:600::400"
good_2 = 2001:1900:2254:206a::50:0
good_3 = 2001:19f0:5:61d:f000::
good_4 = 2001:4998:58:1836::10
table <good_users> = { \
$good_0, \
$good_1, \
$good_2, \
$good_3, \
$good_4 \
}
pass in from <good_users> to me ...
This, however, won't work because IPv6 address ranges are not allowed
in tables.
I could try this:
good_0 = 2a00:1450:400c:: - 2a00:1450:400c::1000
good_1 = 2a04:4e42:600::200 - 2a04:4e42:600::400
good_2 = 2001:1900:2254:206a::50:0
good_3 = 2001:19f0:5:61d:f000::
good_4 = 2001:4998:58:1836::10
good_users = "{ \
$good_0, \
$good_1, \
$good_2, \
$good_3, \
$good_4 \
}"
pass in from $good_users> to me ...
This won't work either, because macros can't be nested like that: The
$good_0, $good_1 references won't be expanded.
I could perhaps insert all of the addresses into a persistent table
one-by-one outside of the pf.conf file (with pfctl -T add), but I'm wary
of doing this because the real range of addresses I want to allow would
result in billions of addresses being inserted. That sounds like a bad
idea.
I could also manually write one pf rule per address and range of
addresses, but this would be painful and a serious maintenance burden.
Is there no way to specify a set of ranges and individual addresses
without having to write one pf rule for each?
--
Mark Raynsford | http://www.io7m.com
pgpa0taxHV3hF.pgp
Description: OpenPGP digital signature
