On Thu, 10 Jun 2010 14:08:04 -0400
Peter Fraser <[email protected]> wrote:
Hi,
> I (and I realize I was wrong ) always considered that
>
> pass quick from { addr 1, addr2 }
>
> Could be written as
>
> pass quick from addr1
> pass quick from addr2
This is true.
> put if "!" are used this obvious should not be true
>
> pass quick from { !addr1, !addr2 }
>
> cannot be the same as ( at least I hope since I haven't built the
> system to test it)
>
> pass quick from !addr1
> pass quick from !addr2
pass quick from { !addr1, !addr2 }
is the same as
pass quick from !addr1
pass quick from !addr2
but it is probably not what you are looking for.
When a packet comes from addr1, the first rule will not match and the
second rule will let the packet pass.
And when a packet comes from addr2, the first rule will match and let
also the packet go in without looking for the second rule.
So any packet, either coming from addr1, addr2, or anything else will
pass.
So,
pass quick from { !addr1, !addr2 }
is more or less equivalent to
pass quick
This behavior is not true when using tables, because braces are
expanded when the ruleset is parsed and tables are checked during
execution (I don't know if I'm clear here :D).
--
Stephane Sezer
