[ndbug] PF question
N.J. Thomas
njt at ayvali.org
Fri May 1 02:03:19 EDT 2015
* Hrishikesh Muruk <hrishim at gmail.com> [2015-05-01 05:54:40+0530]:
> Ok. I still don't understand this bit.
> In the list example you mentioned that the address 10.1.2.3 will not match
> rule B
Correct. A packet from that address, given this ruleset:
A) pass in on fxp0 from 10.0.0.0/8
B) pass in on fxp0 from !10.1.2.3
Will match rule A, and will not match rule B.
> In the table example
> table <goodguys> { 10.0.0.0/8, !10.1.2.3 }
> pass in on fxp0 from <goodguys> to any
>
> The address 10.1.2.3 will match the first entry. Based on your first
> explanation I don't understand how it will match the 2 entry
No, a packet from 10.1.2.3 will NOT match 10.0.0.0/8 in that table.
You are confusing how lists are expanded and how tables are
evaluated. Tables are evaluated with the most specific address.
So given this table:
table <goodguys> { 10.0.0.0/8, !10.1.2.3 }
A packet from 10.1.2.3 is certainly in the 10.0.0.0/8 subnet (which is a /8), but
it matches more specifically to the second address, !10.1.2.3 because a
specific IP address can be considered to have a subnet of /32. A /32 is
more specific than a /8.
I'm sorry if that wasn't clear in my earlier email.
Thomas
More information about the talk
mailing list