Re: [LARTC] negate ip addresses

["Martin A. Brown" <mabrown-lartc@securepipe.com>]

Lars,

 : is it possible to make rules or routes with negated ip addresses like
 : that:

You can simulate this with the following technique:

# ip rule add table xyz
# ip route add $ALLOWED_DESTINATION table xyz
# ip route add throw default

Strictly speaking, this might require a bit more gyration to accomplish
your desired syntax, while still allowing you to reach your goal.

The "throw" route type allows you to create sets of tables which can be
used to "negate".

  http://linux-ip.net/html/routing-rpdb.html
  http://linux-ip.net/html/routing-tables.html#routing-table-entries

 : ip rule add from ! 192.168.0.0/16 table xyz

The closest suggestion I can make to your desired syntax would be to use
two routing tables.

# ip rule add from 192.168.0.0/16 table notxyz
# ip rule add blackhole from 192.168.0.0/16
# ip rule add table xyz

The first two rules would take care of all packets bound from
192.168.0.0/16, and the last rule would effectively handle any packets
which were from ! 192.168.0.0/16.

These would need to be higher priority (lower number) in the RPDB in order
for this to function properly.

 : Or is this planned for the future?

I have no idea.  I'd bet the answer is "no", but you could probably get it
straight from the linux-net horse's mouth if you asked.

-Martin

-- 
Martin A. Brown --- SecurePipe, Inc. --- mabrown@securepipe.com

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/