> Hello.
>
> Let's say I have a host and I want to restrict access to that host to a
> discontinuous range of IPv6 addresses. For example, let's say I want to
> allow access to a host from addresses [2a00:1450:400c::,
> 2a00:1450:400c::1000], [2a04:4e42:600::200, 2a04:4e42:600::400], and
> individually 2001:1900:2254:206a::50:0, 2001:19f0:5:61d:f000::, and
> 2001:4998:58:1836::10.
>
> I could try this:
>
> good_0 = "2a00:1450:400c:: - 2a00:1450:400c::1000"
> good_1 = "2a04:4e42:600::200 - 2a04:4e42:600::400"
> good_2 = 2001:1900:2254:206a::50:0
> good_3 = 2001:19f0:5:61d:f000::
> good_4 = 2001:4998:58:1836::10
>
> table <good_users> = { \
> $good_0, \
> $good_1, \
> $good_2, \
> $good_3, \
> $good_4 \
> }
>
> pass in from <good_users> to me ...
>
> This, however, won't work because IPv6 address ranges are not allowed
> in tables.
>
> I could try this:
>
> good_0 = 2a00:1450:400c:: - 2a00:1450:400c::1000
> good_1 = 2a04:4e42:600::200 - 2a04:4e42:600::400
> good_2 = 2001:1900:2254:206a::50:0
> good_3 = 2001:19f0:5:61d:f000::
> good_4 = 2001:4998:58:1836::10
>
> good_users = "{ \
> $good_0, \
> $good_1, \
> $good_2, \
> $good_3, \
> $good_4 \
> }"
>
> pass in from $good_users> to me ...
>
> This won't work either, because macros can't be nested like that: The
> $good_0, $good_1 references won't be expanded.
>
> I could perhaps insert all of the addresses into a persistent table
> one-by-one outside of the pf.conf file (with pfctl -T add), but I'm wary
> of doing this because the real range of addresses I want to allow would
> result in billions of addresses being inserted. That sounds like a bad
> idea.
>
> I could also manually write one pf rule per address and range of
> addresses, but this would be painful and a serious maintenance burden.
>
> Is there no way to specify a set of ranges and individual addresses
> without having to write one pf rule for each?
I am not sure what is processing the above syntax, but for /bin/sh
you would need to code this as:
#!/bin/sh
good_0="2a00:1450:400c::-2a00:1450:400c::1000"
good_1="2a04:4e42:600::200-2a04:4e42:600::400"
good_2="2001:1900:2254:206a::50:0"
good_3="2001:19f0:5:61d:f000::"
good_4="2001:4998:58:1836::10"
echo ${good_0}
echo ${good_1}
echo ${good_2}
echo ${good_3}
good_users="${good_0},${good_1},${good_2},${good_3},${good_4}"
echo ${good_users}
To stop nasties like spaces around -'s being token seperators,
same for ,'s when you try to glue good_X togeather, as that
well end up as 4 seperate tokens, which pf may not like.
I see now pf has its own processor, and says it does not
expand macros inside quotes, so perhaps one needs to write
good_users=${good_0},${good_1},${good_2},${good_3},${good_4}
to get the desired effect?
It probably also does not like me sh syntax of ${VARAIBE},
over $VARAIBLE.
Sad it doesnt to use an already well established
standard syntax for these types of things.
> --
> Mark Raynsford | http://www.io7m.com
--
Rod Grimes rgri...@freebsd.org
_______________________________________________
freebsd-net@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
