Dear Tech,
I propose
Index: pfctl/parse.y
===================================================================
RCS file: /cvs/src/sbin/pfctl/parse.y,v
retrieving revision 1.648
diff -u -p -r1.648 parse.y
--- pfctl/parse.y 21 Apr 2015 16:34:59 -0000 1.648
+++ pfctl/parse.y 21 May 2015 15:21:54 -0000
@@ -2563,7 +2563,7 @@ optnl : '\n' optnl
ipspec : ANY { $$ = NULL; }
| xhost { $$ = $1; }
- | '{' optnl host_list '}' { $$ = $3; }
+ | not '{' optnl host_list '}' { $$ = $4; $$->not = $1; }
I tested it on i386 current with a small ruleset ! table and ! {} got now
same behavior,
i can see the ping in pflog0 only if there not to the destination in <dns>:
# $OpenBSD: pf.conf,v 1.54 2014/08/23 05:49:42 deraadt Exp $
#
# See pf.conf(5) and /etc/examples/pf.conf
set skip on lo
block return # block stateless traffic
table <dns> { 8.8.8.8, 8.8.4.4 }
match log on vic0 proto icmp from any to !{ 8.8.8.8, 8.8.4.4 }
#match log on vic0 proto icmp from any to ! <dns>
#match log on vic0 proto icmp from any to <dns>
#match log on vic0 proto icmp from any to { 8.8.8.8, 8.8.4.4 }
pass # establish keep-state
# By default, do not permit remote connections to X11
block return in on ! lo0 proto tcp to port 6000:6010
Thank you for reading.
--
---------------------------------------------------------------------------------------------------------------------
() ascii ribbon campaign - against html e-mail
/\
