On 04/17/2009 09:25:22 AM, Helmut Schneider wrote:
Karl O. Pinc <k...@meme.com> wrote:
On 04/17/2009 04:10:35 AM, Helmut Schneider wrote:
Helmut Schneider <jumpe...@gmx.de> wrote:
can I group tables? Or specify something like
myNet1="192.168.0.0/24"
myNet2="192.168.1.0/24"
otherNet1="192.168.2.0/24"
otherNet2="192.168.3.0/24"
table <myNet> { $myNet1, $myNet2 }
table <otherNet> { $otherNet1, $otherNet2 }
table <friendlyNet> { <myNet>, <otherNet> }
internet = ! { <myNet>, <friendlyNet> }
internet = ! "{" <myNet> <friendlyNet> "}"
...
Purpose is to create an object called "internet" which excludes
all my
known networks/objects.
To start with you need to recognize that macros won't do
the trick. You need to put everything you want to
exclude into a single table. A macro will expand
into two rules, so what does not match one rule will
match the other when you negate the macro's test.
So e.g.
<Internet> { !$myNet1, !$myNet2, !$otherNet1, !$otherNet2 }
block in log quick from <Internet> to (self) port 22
will do the trick?
You left off the word "table". Beyond that, no, I don't think
that will work, although I've not tried that particular syntax.
The problem being, as with the macros, is that the logical
operation used in table lookup, as with rule matching, is "or".
So, something that matches $myNet1 will not match $myNet2,
but that does not matter because $myNet1 has already matched.
Likewise, something that matches $myNet2 will match the table
even though it does not match $myNet1.
You could try it and tell me if I'm wrong.
Instead, negate the whole thing:
table <friendlyNets> { $myNet1, $myNet2, $otherNet, $otherNet2 }
block in log quick from ! <friendlyNets> to (self) port 22
Karl <k...@meme.com>
Free Software: "You don't pay back, you pay forward."
-- Robert A. Heinlein
