* sven falempin <sven.falem...@gmail.com> [2015-05-22 14:18]: > looking the rule actually show and unexpected result :
> match log on vic0 inet proto icmp from any to ! 8.8.8.8 > match log on vic0 inet proto icmp from any to 8.8.4.4 so it's even worse, you lose the negation on expansion for subsequent rules. > This result are really puzzling for me, > when i first test the table negation i was really glad that list negation > was possible, > the (block) alternative is often ridiculous to write. so use a table - since lists are expanded at load time, negation there just can't work that way. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS. Virtual & Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http://henningbrauer.com/
