-
Notifications
You must be signed in to change notification settings - Fork 701
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
pf: Aliases exclusions (supress) #4318
Comments
just checked. yes, if exclusions is on botton of merged table they must be subsets of networks in blacklist or they will be ignored when loading in pf. |
upd2: find_table_references.py find references of ip in tables by reading all tables and testing each line "if ip in IPNetwork" |
because it wouldn't perform due to context switches between your script and the pfctl command. (by the way our feature request template is https://github.com/opnsense/core/issues/new?assignees=&labels=&template=feature_request.md , which we really do prefer) |
thanks again for quick responses! |
we'll let it slip this time, just make sure you use the template next time. It's easier to read if details are more structured (going from "what you want to achieve" to the proposed solution), some times there are other options as well which is easier to validate when the functional question is clear. |
got it. thank you! |
checked: pfctl -Ttest is working in find_table_references.py
works for me |
I misread your previous comment, my mistake, the function to check if a (one) address is matched can indeed be refactored like this, using test in the update tables likely will lead to performance issues. Just open a PR and we'll work on it from there, looks like a good addition in my opinion. |
Great!) |
just start with a PR for find_table_references, since it's a single function call without a relation to other components. If you would like to work on the other piece as well, better do that in a separate PR. |
#4320 |
@kulikov-a no worries, thanks for the PR |
@kulikov-a fe25f69 should do the trick, maybe you want to improve our docs on the subject? https://docs.opnsense.org/manual/aliases.html https://github.com/opnsense/docs/blob/6fa0e8da483f2c1e12067999f4cb1db1d718451c/source/manual/aliases.rst |
cool! for fe25f69 |
well, I'm not sure if it adds anything, maybe it's easier to explain that this option is only available for networks (using either a netmask or a single host). just post a PR there, thanks in advance! |
well, Im already using host exclusion for my remote branch offices public IPs (for bulletproofing). I suppose that might be useful. |
The use of the feature is easier to explain from the context of a network entry (all of 192.168.0.0/24, without 192.168.0.1 for example). From a host perspective itself it doesn't really make sense, in which case you're forced to explain the relation with alias nesting. |
Yeah) But Idea is indead in using nesting: {big blocklist (eg firehol_level1 which includes bogons), excluded_networks (to exclude some bogons), excluded hosts (to protect some important hosts against accidental blacklisting)} so we can put blocking rule with this nested alias on top. |
Hm. just realized our misunderstanding. yes, idea IS in nesting. not only in ability tо exclude subnet in one same table. |
my PR for docs (for the case with nesting, hosts and subnets Aliases support): opnsense/docs#283 |
@kulikov-a I'll add the validation to the hosts as well and close this issue, thanks for working on the docs! |
great! |
@kulikov-a are you sure the order is relevant? It didn't look like it when testing on my end (didn't see it in the docs either), if it does matter, we probably need to change the sorting to descending here (or use a lambda to push all
( Can you check if the current state really doesn't work on your end? |
yes, based on my test. i manualy placed "!" strings on top or on bottom of table-file and load tables with pfctl -Treplace via shell. pfctl shows how many strings imported and total strings count. also in both variants after table loading i tested IPs from excluded networks via pfctl -Ttest. Results was different (fully matched strings ignored regardless of "!". pfctl load first and ignores second). This and https://www.freebsd.org/cgi/man.cgi?pfctl (search for "duplicated " word on page) makes me think that pfctl -Treplace reads table-file sting by string an do some inside magic (check conflict, check duplicates) and in this case order is very relevant. |
@kulikov-a no problem, better to check again than to find out our new feature is only partially functional. Thanks again for your help. |
Hi!
pf supports exclusions in tables (eg { 192.168.2.0/24, !192.168.2.5 })
(for now AliasContentField.php and alias.py do not allow to add addresses with exclamation mark)
the idea is to create an Alias (Network(s) type) with subnets to exclude from other Aliases (blacklists) and create a merged table (Network group type alias) consisting of blacklist URLTable(IPs) and Exclude alias (eg use FireHOL level1 list "cutting" some private and "bulletproof " subnets from it).
I tried (add "!" sign processing in address validation in php and py files) and it works.
of course, there are some more subtleties: the order of records in the final table (exclusion shoud go first imo) , references check stops working in the GUI (pfctl -test works just fine)
but imho it would be great to add this feature to Aliases.
Thanks!!
The text was updated successfully, but these errors were encountered: