[ndbug] PF question
Hrishikesh Muruk
hrishim at gmail.com
Thu Apr 30 20:24:40 EDT 2015
On Thursday 30 April 2015, N.J. Thomas <njt at ayvali.org> wrote:
> * Hrishikesh Muruk <hrishim at gmail.com <javascript:;>> [2015-04-30
> 22:12:28+0530]:
> > Based on the section on tables from the same FAQ. I believe this will
> > work
> >
> > table <goodguys> { 10.0.0.0/8, !10.1.2.3 }
> > pass in on fxp0 from <goodguys> to any
>
> Yes, that will also do what you want to do.
>
> > Lists replicate the rule for each item. How do tables expand?
>
> Tables are not expanded like lists. Matching for tables are against the
> most narrowly matching entry. See this page:
>
> http://www.openbsd.org/faq/pf/tables.html#match
>
> So you could have a table and ruleset like this:
>
> table <goodguys> { 172.16.0.0/16, !172.16.1.0/24, 172.16.1.100 }
> block in on dc0
> pass in on dc0 from <goodguys>
>
> So anything in 172.16.1.xx is blocked, because of the negation, but
> 172.16.1.100 goes through because it is exactly matched.
>
>
> Ok. I still don't understand this bit.
In the list example you mentioned that the address 10.1.2.3 will not match
rule B
In the table example
table <goodguys> { 10.0.0.0/8, !10.1.2.3 }
pass in on fxp0 from <goodguys> to any
The address 10.1.2.3 will match the first entry. Based on your first
explanation I don't understand how it will match the 2 entry
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ndbug.in/pipermail/talk/attachments/20150501/c7a4d1d1/attachment.html>
More information about the talk
mailing list