Features enhacement: AND-block and "me" expression on a table...
Patrick Tracanelli
eksffa at freebsdbrasil.com.br
Tue Nov 22 15:00:34 GMT 2005
Hello ipfw developers,
Would it be hard to make ipfw processing "and" blocks, just like "or"
blocks? I mean, in the following situation:
ipfw add deny log tcp from { not 10.10.10.10/32 or not 10.10.10.20/32 }
to any dst-port 22 out via fxp0 setup keep-state
On my understanding, this rule will *always* match, because the OR block
makes the source always be true, because it *won't* be a orign OR won't
the other be. What if we could have:
ipfw add deny log tcp from { not 10.10.10.10/32 and not 10.10.10.20/32 }
to any dst-port 22 out via fxp0 setup keep-state
?
One more thing, I have just noticed that tables do not accept the "me"
expression. Any chance to have ipfw deal with "me" in a table?
Also, dummynet does not evaluate table well. Only the first address is
matched against a dummynet rule. It would be great if tables could be
used with dummynet and all the mask specifiers...
Those are only some thoughts... =)
--
Patrick Tracanelli
More information about the freebsd-ipfw
mailing list