[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: NAT negation



On Thu, Jul 25, 2002 at 10:59:00PM +0200, Claudio Jeker wrote:
> On Thu, Jul 25, 2002 at 10:13:54 -0500, Chris Wage wrote:
> > Hi, I have a question regarding the negation (!) operator's use.
> > 
> > I have been trying for some time now to figure out a way to exclude
> > more than one host from redirection in NAT and failing.
> > 
> 
> <SNIP>
> 
> > rdr on dc1 proto tcp from any to { ! 1.2.3.4/32, 1.2.3.6/32 } port 21
> > -> 127.0.0.1 8081
> > 
> > -- This rule loads fine however doesn't work as you might expect, I
> > suppose because it evals into two separate rules which essentially
> > conflict with eachother because ! 1.2.3.4/32 is a subset that
> > intersects with ! 1.2.3.6/32.
> > 
> > Can anyone point me in the right direction?
> > 
> 
> This rule expands to:
> rdr on dc1 proto tcp from any to ! 1.2.3.4/32 port 21 -> 127.0.0.1 8081
> rdr on dc1 proto tcp from any to   1.2.3.6/32 port 21 -> 127.0.0.1 8081
> 
> The correct rule should be:
> rdr on dc1 proto tcp from any to { ! 1.2.3.4/32, ! 1.2.3.6/32 } port 21 ->
> 127.0.0.1 8081

no, still nonsense.
will expand to:

rdr on dc1 proto tcp from any to ! 1.2.3.4/32 port 21 -> 127.0.0.1 8081
rdr on dc1 proto tcp from any to ! 1.2.3.6/32 port 21 -> 127.0.0.1 8081

one will always match.

The Right Thing is 

no rdr on dc1 proto tcp from any to 1.2.3.4/32 port 21 -> 127.0.0.1 8081
no rdr on dc1 proto tcp from any to 1.2.3.6/32 port 21 -> 127.0.0.1 8081
   rdr on dc1 proto tcp from any to any        port 21 -> 127.0.0.1 8081