On Fri, May 22, 2015 at 5:09 AM, Henning Brauer <[email protected]> wrote:
> * sven falempin <[email protected]> [2015-05-21 17:29]: > > I propose > > > > Index: pfctl/parse.y > > =================================================================== > > RCS file: /cvs/src/sbin/pfctl/parse.y,v > > retrieving revision 1.648 > > diff -u -p -r1.648 parse.y > > --- pfctl/parse.y 21 Apr 2015 16:34:59 -0000 1.648 > > +++ pfctl/parse.y 21 May 2015 15:21:54 -0000 > > @@ -2563,7 +2563,7 @@ optnl : '\n' optnl > > > > ipspec : ANY { $$ = NULL; } > > | xhost { $$ = $1; } > > - | '{' optnl host_list '}' { $$ = $3; } > > + | not '{' optnl host_list '}' { $$ = $4; $$->not = $1; > } > > > > > this doesn't do what you think it does. You think it matches > everything but 8.8.8.8 and 8.8.4.4, while in reality, it matches > everything. Feed that rule through > pfctl -nvf - > and you'll see it expanded to > > match log on vic0 proto icmp from any to ! 8.8.8.8 > match log on vic0 proto icmp from any to ! 8.8.4,4 > > the list negation discussion is as old as pf. > > > Sir, looking the rule actually show and unexpected result : [0]-[sn386.localdomain]-[/root] # pfctl -s rules block return all match log on vic0 inet proto icmp from any to ! 8.8.8.8 match log on vic0 inet proto icmp from any to 8.8.4.4 match log on vic0 proto icmp from any to ! <dns> pass all flags S/SA block return in on ! lo0 proto tcp from any to any port 6000:6010 I did my small test of yesterday again , i can imagine things but not the same twice ;-) [0]-[sn386.localdomain]-[/root] # tcpdump -tteni pflog0 icmp& [1] 25796 [0]-[sn386.localdomain]-[/root] # tcpdump: WARNING: snaplen raised from 116 to 160 tcpdump: listening on pflog0, link-type PFLOG ping -c 4 8.8.8.8 PING 8.8.8.8 (8.8.8.8): 56 data bytes 64 bytes from 8.8.8.8: icmp_seq=0 ttl=51 time=26.397 ms 64 bytes from 8.8.8.8: icmp_seq=1 ttl=51 time=24.652 ms 64 bytes from 8.8.8.8: icmp_seq=2 ttl=51 time=28.601 ms 64 bytes from 8.8.8.8: icmp_seq=3 ttl=51 time=23.564 ms --- 8.8.8.8 ping statistics --- 4 packets transmitted, 4 packets received, 0.0% packet loss round-trip min/avg/max/std-dev = 23.564/25.803/28.601/1.911 ms [0]-[sn386.localdomain]-[/root] # ping -c 4 8.8.4.4 PING 8.8.4.4 (8.8.4.4): 56 data bytes 64 bytes from 8.8.4.4: icmp_seq=0 ttl=51 time=30.802 ms 64 bytes from 8.8.4.4: icmp_seq=1 ttl=51 time=21.942 ms 64 bytes from 8.8.4.4: icmp_seq=2 ttl=51 time=28.501 ms 64 bytes from 8.8.4.4: icmp_seq=3 ttl=51 time=28.315 ms --- 8.8.4.4 ping statistics --- 4 packets transmitted, 4 packets received, 0.0% packet loss round-trip min/avg/max/std-dev = 21.942/27.390/30.802/3.294 ms [0]-[sn386.localdomain]-[/root] # ping -c 4 192.168.238.1 PING 192.168.238.1 (192.168.238.1): 56 data bytes 64 bytes from 192.168.238.1: icmp_seq=0 ttl=128 time=0.452 ms 1432296447.095596 rule 1/(match) match out on vic0: 192.168.238.133 > 192.168.238.1: icmp: echo request 1432296447.095604 rule 3/(match) match out on vic0: 192.168.238.133 > 192.168.238.1: icmp: echo request 64 bytes from 192.168.238.1: icmp_seq=1 ttl=128 time=0.321 ms 64 bytes from 192.168.238.1: icmp_seq=2 ttl=128 time=0.379 ms 64 bytes from 192.168.238.1: icmp_seq=3 ttl=128 time=0.406 ms --- 192.168.238.1 ping statistics --- 4 packets transmitted, 4 packets received, 0.0% packet loss round-trip min/avg/max/std-dev = 0.321/0.389/0.452/0.051 ms [0]-[sn386.localdomain]-[/root] # Only 192.168.238.1 show result in pflog0, This result are really puzzling for me, when i first test the table negation i was really glad that list negation was possible, the (block) alternative is often ridiculous to write. -- --------------------------------------------------------------------------------------------------------------------- () ascii ribbon campaign - against html e-mail /\
