On Fri, Apr 08, 2011 at 01:19:59PM +0300, Bojidara Marinchovska wrote:
> Hello,
>
> netif="netif"
> test1="1.2.3.4"
> test2="2.3.4.5"
>
> block in quick on $netif from {!$test1, !$test2} to x.x.x.x - blocks
> the access from the IPs from test1 and test2 macros, BUT it should
> block all other EXCEPT this ones
>
> --
> block in quick on $netif from {$test1, $test2} to x.x.x.x - this
> rule works as expected
> --
> block in quick on $netif from {!$test1, $test2} to x.x.x.x - this
> rule works as expected
This is complex for
block in quick on $netif from {!$test1} to x.x.x.x
> --
> block in quick on $netif from {$test1, !$test2} to x.x.x.x - this
> rule works as expected
This is again complex for
block in quick on $netif from {!$test2} to x.x.x.x
> I know example rule :
>
> block in quick on $netif from {!$test1, !$test2} to x.x.x.x
>
> can be replaced with:
>
> pass in quick on $netif from {$test1, $test2} to x.x.x.x
> block in quick on $netif from any to x.x.x.x
This is wrong. It is expanded to:
block in quick on $netif from {!$test1} to x.x.x.x
block in quick on $netif from {!$test2} to x.x.x.x
and this is just a simple
block in quick on $netif to x.x.x.x
The {foo, bar} notation results in a OR operation so
foo || bar. Now !foo || !bar with foo != bar is always true.
> In the example I used macors, also tried with tables or direct
> inserting IP addresses instead of using macros or tables, but it
> does not work as expected
>
> So it is possible to use {$test, $test1}, but isn't "double
> negation" as following: {!$test1, !$test2} ?
>
--
:wq Claudio
