Is it possible to do inverse matching of tags in floating rules?
-
Hi everybody!
Is it possible to set up a floating rule that blocks all outbound traffic on an interface that has not been tagged with a certain tag (inverse matching)? Essentially, I'm trying to find a way to implement the following pf-rule:
block out quick on RED_NET ! tagged RED_NET_OK
So far, the only possible solution I've found i to add the rule to "/etc/inc/filter.inc", but I would rather not have parts of the ruleset outside of the user interface.
Thank you in advance!
-
There doesn't appear to be, but it may not be too difficult to add something that would at least let you enter, say,
!RED_NET_OK
in the Tagged field and then it sees that and splits out the!
into the right spot.Open a feature request at https://redmine.pfsense.org in the Rules/NAT Category and we'll see what we can do.
-
Thanks for the quick reply!
I have created Feature Request #10186. I'm afraid I missed to set the category and I do not seem to have the rights to change it after pressing create.
It looks as if the solution that you propose could be implemented with a small change to filter_generate_user_rule($rule) in filter.inc around the lines
if (!empty($rule['tagged'])) { $aline['tagged'] = " tagged \"" .$rule['tagged']. "\" "; }
A small change to the input validation in firewall_rules_edit.php would also be required to allow the value of the "tagged" field to start with an exclamation mark.
I will likely spend a few moments to write the code and patch my current installation of pfSense to enable this feature. Would it be of use to you if I clone the GIT repository and send in a patch file (of pull request) with my changes?