Feature request: Check IP range before dynamic add to address list....

rado3105 · May 19, 2016, 9:55pm

I have some ranges in address list with static ip addresses. But some get there dynamicaly (content mark…and so on…).
But ip gets inside address list also when the whole range of ip that belong to is there.
Is possible to add just ip addresses that are not in address list and also in ip range, that is not in address list?

ZeroByte · May 19, 2016, 10:49pm

On the rule that adds things to an address list, just add this:
src-address-list=!myAddressList
(assuming you’re checking/adding the source address)

rado3105 · May 20, 2016, 10:26am

If there is ip range in address list e.g. 192.168.0.0/24 and that rule with src-address-list=!myAddressList wants to add ip address 192.168.0.5. What will happen? Will be in address list 192.168.0.5 and alson range 192.168.0.0/24. Or that rule makes it impossible to add and stays there just range?

thanks

ZeroByte · May 20, 2016, 1:49pm

Yes - this will stop the rule from adding individual hosts which are part of a range.
Adding ranges would be useless if IP addresses within those ranges didn’t match them, right?

Think about it logically:
Suppose 192.168.0.0/24 is in the list.
This means that any IP within this range is in the list.
192.168.0.12 is in the list because it is part of the range 192.168.0.0/24 which is in the list.
Therefore, if a packet comes from 192.168.0.12, then it would pass the requirement of src-address-list=THELIST
If a packet comes from 192.168.0.12, then it would fail the requirement of src-address-list=!THELIST
(src must NOT be in the list)
Therefore, if this condition (src-address-list=!THELIST) is applied to any rule, then that rule will not match packets whose address exists in the list.

So you could even say that these are logically the same:
adding all 255 IPs of a /24 range as individual entries
adding /24 range as single entry.
(first method wastes more CPU though)

So when you say this:
src-address-list=!THELIST action=add-src-to-address-list address-list=THELIST

You mean:
If the source is not already in the list, then add it.

rado3105 · May 21, 2016, 6:23am

Thanks a lot for great explanation.
But what if ip is in address list with different name?
I
example:
src-address-list=!THELIST action=add-src-to-address-list address-list=THELIST

but ip will be in thelist1 and I dont want to add any ip present in address list named by different name…

is possible to us !alladdresslistip
?

pe1chl · May 21, 2016, 7:10am

Of course this is possible, but you can check only one address-list in a single rule.
So you will have to split your check over multiple rules (and maybe an extra chain) to do this.
E.g. in the main chain (input, forward) you match on the type of traffic you want to put in the address list
and when it matches you do a “jump” to a new chain (add-to-list).
In the chain add-to-list you first put some checks on all your different address lists and if they match you
do an accept or return (whatever you like), and finally in that chain you add it to some list.