Features enhacement: AND-block and "me" expression on a table...
Patrick Bihan-Faou
patrick.bihan-faou at netzuno.com
Thu Nov 24 23:14:02 GMT 2005
Hi,
Patrick Tracanelli wrote:
>
> Hello ipfw developers,
>
> Would it be hard to make ipfw processing "and" blocks, just like "or"
> blocks? I mean, in the following situation:
>
> ipfw add deny log tcp from { not 10.10.10.10/32 or not 10.10.10.20/32
> } to any dst-port 22 out via fxp0 setup keep-state
>
> On my understanding, this rule will *always* match, because the OR
> block makes the source always be true, because it *won't* be a orign
> OR won't the other be. What if we could have:
>
> ipfw add deny log tcp from { not 10.10.10.10/32 and not 10.10.10.20/32
> } to any dst-port 22 out via fxp0 setup keep-state
>
> ?
>
I have a set of patches that I am playing with that allow the negation
of an entire or block i.e.:
ipfw add deny log tcp from not { 1.1.1.1 or 2.2.2.2 } to any
So far my tests are good, and I can use this syntax anywhere an or-block
can be implemented.
> One more thing, I have just noticed that tables do not accept the "me"
> expression. Any chance to have ipfw deal with "me" in a table?
>
Looking at the code this is really not as easy as it sounds. You are
probably better off using something like
ipfw count ip from { table(1) or me } to any
in such situations.
Also I have noticed that it is not possible to add the 255.255.255.255
address to a table either.
I might mae these patches available at some point, time permiting.
Patrick.
More information about the freebsd-ipfw
mailing list