On Fri, May 22, 2015 at 1:13 PM, Henning Brauer <[email protected]> wrote:
> * sven falempin <[email protected]> [2015-05-22 16:33]: > > But it does not explain the output i have. > > otoh I'd say your diff is incomplete and misses a bit in expand_rule. > > Ok i get it now, log is not like pass, the <to log or not> is compute through the ruleset and use, at the end so the !<dns> was clearing the mistake. So no ! { } for the moment, as it is an miss-leading expansion, even doing it like this : Index: parse.y =================================================================== RCS file: /cvs/src/sbin/pfctl/parse.y,v retrieving revision 1.648 diff -u -p -r1.648 parse.y --- parse.y 21 Apr 2015 16:34:59 -0000 1.648 +++ parse.y 22 May 2015 18:56:35 -0000 @@ -2563,7 +2563,12 @@ optnl : '\n' optnl ipspec : ANY { $$ = NULL; } | xhost { $$ = $1; } - | '{' optnl host_list '}' { $$ = $3; } + | not '{' optnl host_list '}' { + struct node_host *n; + for (n = $4; n != NULL; n = n->next) + n->not = $1; + $$ = $4; + } ; Creating a anonymous table would be a bad idea because it would be hard to flush during a reload ? -- --------------------------------------------------------------------------------------------------------------------- () ascii ribbon campaign - against html e-mail /\
