Le Wed, 27 Mar 2013 19:28:08 -0700,
David Ruggiero <thatseattle...@gmail.com> a écrit :
> Thanks! No, it didn't occur to me, so very appreciated. I didn't
> remember that you could do that form of the table command to show
> explicit members in a list, so that's also really helpful.
>
> FWIW, though......I would not have expected that pf would silently
> drop - without any warning message or complaint - an address
> explicitly stated as being a member of a constant table definition.
> Even that address. You're right that (at least in hindsight)
> 0.0.0.0/mask might be treated differently - maybe it uses it as a
> marker for an empty slot or the like? But regardless of that, I
> would (a) expect that fact to be documented (if it is, I missed it),
> and (b) expect that the pf parser would say something as it was
> throwing it away (at least a warning message about "unparseable
> address at line XX - ignored" or the like). For it to just drop it on
> the floor and say nothing at all seems - well, kind of non-pf-ish.
>
> Perhaps worth a documentation patch, if not an actual code patch.
Well, even if 0.0.0.0/32 is not included in the table, your table
should match any address (at least 0.0.0.0/32).
Because !192.168.5.128/25 OR !192.168.10.128/25
OR !192.168.99.128/25 is always true.
int_net = "192.168.5.128/25"
wls_net = "192.168.10.128/25"
ptr_net = "192.168.99.128/25"
table <unroutable_ips> const { 10.0.0.0/8, 172.16.0.0/12,
192.168.0.0/16, !$int_net, !$wls_net, !$ptr_net, 169.254.0.0/16,
127.0.0.0/8, 192.0.2.0/24, 0.0.0.0/32, 240.0.0.0/4, 255.255.255.255/32 }
I'm wrong? Why 0.0.0.0 does not match this table?
I would be happy to know the behavior, because my "pfulator"(*) does not
work as PF for this.
Thanks, regards.
(*) https://groupes.renater.fr/wiki/jtacl/index
