This seems to me not valid.
You can check with
l = "{1.1.1.1,1.1.1.2}"
block from $l
with pfctl -n -v -f file
it produce
l = "{1.1.1.1,1.1.1.2}"
block drop inet from 1.1.1.1 to any
block drop inet from 1.1.1.2 to any
Try next your example.
Karl-Heinz
On 08.05.2009, at 12:37, Cristiano Deana wrote:
> Hi,
>
> i think this is a pf's bug:
>
> short description:
>
> internal interface with two different ip's in two different lans:
> 192.168.20.254/24
> 192.168.21.254/24
> They're used as gateway from the two lans.
>
> nat rules: every 10 ip's use a different public ip.
> everithing works fine for the first lan, with the second one pf
> doesn't match the right rule(1) but similar rule for the other lan(2).
> this is only true for NAT RULES, if i use a similar rule for
> filtering (3,4) they perfectly match the right one.
>
> (1)
> nat on $ext_if from $lan_pri_01 -> $ip_pub_01
> (2)
> nat on $ext_if from $lan_pri_26 -> $ip_pub_26
> (3)
> pass in log quick on {192.168.20.254} from 192.168.20.0/24 to any
> flags S/SA keep state
> (4)
> pass in log quick on {192.168.21.254} from 192.168.21.0/24 to any
> flags S/SA keep state
>
> lan_pri_01="{ 192.168.20.01 - 192.168.20.10 }"
> lan_pri_26="{ 192.168.21.01 - 192.168.21.10 }"
>
> it seems nat rule use only the last octet to match it.
>
> thanks in advance
[demime 1.01d removed an attachment of type application/pkcs7-signature which
had a name of smime.p7s]
