From: Andy Whitcroft <apw@shadowen.org>
To: netfilter-devel@lists.netfilter.org, zack@the-links.net
Subject: Re: src/dest wilcard matching
Date: Thu, 16 Sep 2004 12:56:23 +0100 [thread overview]
Message-ID: <200409161256.23156.apw@shadowen.org> (raw)
In-Reply-To: <54512.139.76.128.1.1095257166.squirrel@www.the-links.net>
On Wednesday 15 September 2004 15:06, Zachary Link wrote:
> I am looking for the ability to use wilcards or regexp type matching for
> source and destination fields. Maybe this could be an extension or
> something...
>
> For example
> --source 172.*.*.1
> or
> --destination 10.[1-10].[10|20].1
>
> Picture, if you will, a situation where you had 1,000 offices all on
> 10.x.y.0/24 networks. All routers might be 10.x.y.1. You might want to
> give your network guys access to just those devices, and sysadmins access
> to all servers at 10.x.y.10-19 or any other types of devices sitting on
> these networks.
>
> So, the biggest hurdle I need to overcome is to allow arbitrary middle
> octets while matching 1st and last octet. I was looking through the docs
> and I found that something like this could be done with the u32 extensions
> (I think), but it would be very cumbersome, and not easy to use. I also
> took a look at the code and realized there is no way to do it myself as I
> have no real knowledge of C (I'll look like an idiot here if that's not C
> ;-).
>
> So, am I missing some existing functionality that would allow for that?
> Or, does anyone have any desire to develop that sort of feature?
Well some of this is pretty easy. The -s and -d matches are actually in the
form of an address and mask, the normal form is 1.2.3.4/N to match the left N
bits, but there is also a 1.2.3.4/255.0.0.255 form of the mask. You could
use this for some of your stuff definatly.
iptables -A FORWARD -d 10.0.0.1/255.0.0.255 -j ACCEPT
If the ranges you have picked in each subnet are not simply maskable, ie say
16-32 not 10-20 then you could use a user chain for that. Something like the
following, untested but modelled on something which works.
iptables -N adminguy
iptables -A adminguy -d 10.0.0.10/255.0.0.255 -j ACCEPT
[...]
iptables -A adminguy -d 10.0.0.19/255.0.0.255 -j ACCEPT
iptables -N networkguy
iptables -A networkguy -d 10.0.0.1/255.0.0.255 -j ACCEPT
Obviously you could then use source checks to pick in the original
selector ...
iptables -A FORWARD -s 1.2.3.0/24 -j networkguys
iptables -A FORWARD -s 1.2.4.0/24 -j adminguy
-apw
next prev parent reply other threads:[~2004-09-16 11:56 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-09-15 14:06 src/dest wilcard matching Zachary Link
2004-09-16 11:56 ` Andy Whitcroft [this message]
2004-09-16 14:01 ` John A. Sullivan III
2004-09-21 13:12 ` Zachary Link
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=200409161256.23156.apw@shadowen.org \
--to=apw@shadowen.org \
--cc=netfilter-devel@lists.netfilter.org \
--cc=zack@the-links.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.