Solved: Negation in tables for packet filter
Erik Norgaard wrote: I want to create two tables in my packet filter, the first should match any valid public ip, so I created a table negating anything reserved: table const { !0/8 !10/8 !127/8 !169.254/16 !172.16/12 \ !192.0.2/24 !192.168/16 !198.18/15 !224/4 !240/4 } Of course, I could do something different here, defining a table for networks and negate it. The rest should be caught by the filtering rules anyway to block non-routable packets. I have three tables with different registered hosts with different access levels, I want to redirect unknown hosts to a page explaining what to do to get registered, rdr on $wlan_if proto tcp from { $wlan_net ! ! ! } \ to port http -> 127.0.0.1 port 8000 This one is solved with: no rdr on $wlan_if proto tcp from {} \ to port http rdr on $wlan_if proto tcp from $wlan_net to ! \ port http -> 127.0.0.1 port 8000 However, it would be nice to know if the documentation is incorrect, or there is a difference in how negation is treated in nat and filter respectively. Thanks, Erik -- Ph: +34.666334818 web: http://www.locolomo.org smime.p7s Description: S/MIME Cryptographic Signature
Re: Negation in tables for packet filter
I got this response off-list: Lowell Gilbert wrote: > Erik Norgaard <[EMAIL PROTECTED]> writes: > >> table const { !0/8 !10/8 !127/8 !169.254/16 !172.16/12 \ >>!192.0.2/24 !192.168/16 !198.18/15 !224/4 !240/4 } > > Think about it; this matches *everything*. All possible packets are > in either !10/8 or !127/8. etc. This is clear if tables are a simple or'ing of the entries, but the documentation is somewhat confusing, they give this example (http://www.openbsd.org/faq/pf/tables.html): table { 172.16.0.0/16, !172.16.1.0/24, 172.16.1.100 } block in on dc0 all pass in on dc0 from to any * 172.16.50.5 - narrowest match is 172.16.0.0/16; packet matches the table and will be passed * 172.16.1.25 - narrowest match is !172.16.1.0/24; packet matches an entry in the table but that entry is negated (uses the "!" modifier); packet does not match the table and will be blocked * 172.16.1.100 - exactly matches 172.16.1.100; packet matches the table and will be passed * 10.1.4.55 - does not match the table and will be blocked so maybe I should add 0/0 to the above list? Thanks, Erik -- Ph: +34.666334818 web: http://www.locolomo.org smime.p7s Description: S/MIME Cryptographic Signature
Negation in tables for packet filter
Hi: I want to create two tables in my packet filter, the first should match any valid public ip, so I created a table negating anything reserved: table const { !0/8 !10/8 !127/8 !169.254/16 !172.16/12 \ !192.0.2/24 !192.168/16 !198.18/15 !224/4 !240/4 } So with the above I should be able to correctly NAT anything going to the internet and the rest should not be NAT'ed - either it is locally routable or should be blocked. nat on $dsn_if from {} \ to -> ($dsn_if) This doesn't work as expected, instead I have to remove all negations in the table and create a non-internet table and negate that in the nat rule. Shouldn't they work equivalently? (I also want to use the table in my filter rules, so I like to define a table). The second should match unknown local hosts, I have three tables with different registered hosts with different access levels, I want to redirect unknown hosts to a page explaining what to do to get registered, rdr on $wlan_if proto tcp from { $wlan_net ! ! ! } \ to port http -> 127.0.0.1 port 8000 This doesn't work either, the table is expanded to four rdr rules, and they are applied before the nat - even if I place it after in the ruleset, so I can't just remove the ! and have the rdr catch up all that is not nat'ed in the previous nat-rule. So, how do I create my nat rules so they work as expected - or that is, that work as I want? Thanks, Erik -- Ph: +34.666334818 web: http://www.locolomo.org smime.p7s Description: S/MIME Cryptographic Signature