On 04/08/11 14:04, Claudio Jeker wrote:
On Fri, Apr 08, 2011 at 01:19:59PM +0300, Bojidara Marinchovska wrote:
Hello,
netif="netif"
test1="1.2.3.4"
test2="2.3.4.5"
block in quick on $netif from {!$test1, !$test2} to x.x.x.x - blocks
the access from the IPs from test1 and test2 macros, BUT it should
block all other EXCEPT this ones
--
block in quick on $netif from {$test1, $test2} to x.x.x.x - this
rule works as expected
--
block in quick on $netif from {!$test1, $test2} to x.x.x.x - this
rule works as expected
This is complex for
block in quick on $netif from {!$test1} to x.x.x.x
--
block in quick on $netif from {$test1, !$test2} to x.x.x.x - this
rule works as expected
This is again complex for
block in quick on $netif from {!$test2} to x.x.x.x
I know example rule :
block in quick on $netif from {!$test1, !$test2} to x.x.x.x
can be replaced with:
pass in quick on $netif from {$test1, $test2} to x.x.x.x
block in quick on $netif from any to x.x.x.x
This is wrong. It is expanded to:
block in quick on $netif from {!$test1} to x.x.x.x
block in quick on $netif from {!$test2} to x.x.x.x
Hello,
It is not wrong but I cannot find it is possible to use negation with
AND ( something like block in quick from !{$a, $b, $c} ) and yes as it
is typed it will be produce exactly this ruleset you wrote.
So if rules in conf are defined as separated as ( not interpreted as
subrules )
block in quick on $netif from !$test1 to x.x.x.x
block in quick on $netif from !$test2 to x.x.x.x
why 1.2.3.4 it is blocked by the second rule. shouldn't be passed from
the first rule ? ( rules are read from top to bottom )
If test1 contains 1.2.3.4 and test2 contains 2.3.4.5 if I try to
establish connection from 2.3.4.5 to x.x.x.x it should be block by 1st
block rules which is as you already wrote:
block in quick on $netif from {!$test1} to x.x.x.x
but if I try to establish connection from 1.2.3.4 to x.x.x.x it should
not be blocked from the second rule and should be matched by the first one
So the correct question is how to accomplish
pass in quick on $netif from {$test1, $test2} to x.x.x.x
block in quick on $netif from any to x.x.x.x
with only 1 rule ?
and this is just a simple
block in quick on $netif to x.x.x.x
The {foo, bar} notation results in a OR operation so
foo || bar. Now !foo || !bar with foo != bar is always true.
In the example I used macors, also tried with tables or direct
inserting IP addresses instead of using macros or tables, but it
does not work as expected
So it is possible to use {$test, $test1}, but isn't "double
negation" as following: {!$test1, !$test2} ?
