On 2015/05/22 11:09, Henning Brauer wrote:
>
> this doesn't do what you think it does. You think it matches
> everything but 8.8.8.8 and 8.8.4.4, while in reality, it matches
> everything. Feed that rule through
> pfctl -nvf -
> and you'll see it expanded to
>
> match log on vic0 proto icmp from any to ! 8.8.8.8
> match log on vic0 proto icmp from any to ! 8.8.4,4
>
> the list negation discussion is as old as pf.
It became more confusing after the ruleset optimizer was enabled though.
$ echo 'pass proto tcp from {!1.1.1.1 !2.2.2.2 !3.3.3.3 !4.4.4.4 !5.5.5.5
!6.6.6.6}' | pfctl -nvf -
table <__automatic_0> const { 1.1.1.1 2.2.2.2 3.3.3.3 4.4.4.4 5.5.5.5 6.6.6.6 }
pass inet proto tcp from ! <__automatic_0> to any flags S/SA
$ echo 'pass proto tcp from {!1.1.1.1 !2.2.2.2 !3.3.3.3 !4.4.4.4}' | pfctl -nvf
-
pass inet proto tcp from ! 1.1.1.1 to any flags S/SA
pass inet proto tcp from ! 2.2.2.2 to any flags S/SA
pass inet proto tcp from ! 3.3.3.3 to any flags S/SA
pass inet proto tcp from ! 4.4.4.4 to any flags S/SA
