[ndbug] PF question
N.J. Thomas
njt at ayvali.org
Thu Apr 30 14:13:48 EDT 2015
* Hrishikesh Muruk <hrishim at gmail.com> [2015-04-30 22:12:28+0530]:
> Based on the section on tables from the same FAQ. I believe this will
> work
>
> table <goodguys> { 10.0.0.0/8, !10.1.2.3 }
> pass in on fxp0 from <goodguys> to any
Yes, that will also do what you want to do.
> Lists replicate the rule for each item. How do tables expand?
Tables are not expanded like lists. Matching for tables are against the
most narrowly matching entry. See this page:
http://www.openbsd.org/faq/pf/tables.html#match
So you could have a table and ruleset like this:
table <goodguys> { 172.16.0.0/16, !172.16.1.0/24, 172.16.1.100 }
block in on dc0
pass in on dc0 from <goodguys>
So anything in 172.16.1.xx is blocked, because of the negation, but
172.16.1.100 goes through because it is exactly matched.
In pf, tables are super fast and efficient, so you want to use them over
lists, especially if you have a large number of addresses.
hth,
Thomas
More information about the talk
mailing list