counting (not) blocks of IPs in ipfw - please help
Brian Candler
B.Candler at pobox.com
Wed Jul 12 08:30:25 UTC 2006
On Mon, Jul 10, 2006 at 06:40:50PM -0400, Ensel Sharon wrote:
> I can't seem to get ipfw to handle a rule like this:
>
>
> ipfw add 00100 count ip from any not { 10.20.0.0/16 or 10.30.0.0/16 } to
> any via em0 in
>
> The error is:
>
> ipfw: missing ``to''
> ipfw: unrecognised option [-1] 10.20.0.0/16
Firstly, "from any XXX" is giving two different 'from' items. I guess you
meant "from not { 10.20.0.0/16 or 10.30.0.0/16 }". But that doesn't work
either:
# ipfw add 00100 count ip from not { 10.20.0.0/16 or 10.30.0.0/16 } to any via fxp0 in
ipfw: hostname ``{'' unknown
According to the manpage, that syntax is not allowed. Notice:
[proto from src to dst] [options]
...
src and dst: {addr | { addr or ... }} [[not] ports]
...
addr: [not] {any | me | me6 table(number[,value]) | addr-list | addr-set}
i.e. "not { x or y }" is not a valid 'src'
The obvious boolean transformation doesn't work, since "and" is not allowed
either: i.e.
# ipfw add 00100 count ip from { not 10.20.0.0/16 and not 10.30.0.0/16 } to any via fxp0 in
ipfw: missing ")"
I think you need to use a table. Or choose another workaround, e.g. two
rules with separate counters, or two rules which jump to another rule which
does the counting.
Regards,
Brian.
More information about the freebsd-net
mailing list