On 2017/11/21 12:21, S. Donaldson wrote:
> Applies to stable:
>
> OpenBSD 6.1 GENERIC.MP amd64
>
> and stable
>
> OpenBSD 6.2 GENERIC.MP amd64
>
>
> pf rules that block using the proto key work with a negation fail with a
> syntax error.
>
> block on $int inet proto ! tcp
I think you'll just need two rules for that:
block on $int inet
pass on $int inet proto tcp
> and list based negations also fail
>
> block on $int inet proto ! { tcp udp }
>
> with a syntax error.
Beware of list negations! If this was allowed it would expand to this:
block on $int inet proto ! tcp
block on $int inet proto ! udp
Which is not what you want.
It may seem to work in some cases with a list of IP addresses as the
ruleset optimizer will convert them to a table if there are enough
addresses, but this is dangerous as if you remove enough addresses it
will start to do the wrong thing.
In general avoid negation with lists.
