* sven falempin <sven.falem...@gmail.com> [2015-05-21 17:29]:
> I propose
>
> Index: pfctl/parse.y
> ===================================================================
> RCS file: /cvs/src/sbin/pfctl/parse.y,v
> retrieving revision 1.648
> diff -u -p -r1.648 parse.y
> --- pfctl/parse.y 21 Apr 2015 16:34:59 -0000 1.648
> +++ pfctl/parse.y 21 May 2015 15:21:54 -0000
> @@ -2563,7 +2563,7 @@ optnl : '\n' optnl
>
> ipspec : ANY { $$ = NULL; }
> | xhost { $$ = $1; }
> - | '{' optnl host_list '}' { $$ = $3; }
> + | not '{' optnl host_list '}' { $$ = $4; $$->not = $1; }
>
>
> I tested it on i386 current with a small ruleset ! table and ! {} got now
> same behavior,
huh?
> match log on vic0 proto icmp from any to !{ 8.8.8.8, 8.8.4.4 }
this doesn't do what you think it does. You think it matches
everything but 8.8.8.8 and 8.8.4.4, while in reality, it matches
everything. Feed that rule through
pfctl -nvf -
and you'll see it expanded to
match log on vic0 proto icmp from any to ! 8.8.8.8
match log on vic0 proto icmp from any to ! 8.8.4,4
the list negation discussion is as old as pf.
--
Henning Brauer, h...@bsws.de, henn...@openbsd.org
BS Web Services GmbH, http://bsws.de, Full-Service ISP
Secure Hosting, Mail and DNS. Virtual & Dedicated Servers, Root to Fully Managed
Henning Brauer Consulting, http://henningbrauer.com/
