Negative match based on Alias of multiple networks?

stompro

Can someone confirm that rule matching based on negative (not) aliases works?

I have an alias of local network ranges.

I'm trying to match traffic that has a src from that alias and destination not to that alias, to match traffic that will be routed to the Wan.

Matching based on src = alias, dest = alias works just fine, but when I negate the dest != alias it doesn't seem to match the traffic that it should.

 <alias><name>ShaperLocalLAN</name>

<address>192.168.227.0/24 192.168.1.0/24</address>

			<type>network</type>
			<detail></detail></alias> 

 <rule><id><type>match</type>
                        <tag><tagged><direction>out</direction>
                        <floating>yes</floating>
                        <max><max-src-nodes><max-src-conn><max-src-states><statetimeout><statetype>keep state</statetype>

                        <source>

<address>ShaperLocalLAN</address>

                        <destination><address>ShaperLocalLAN</address></destination> 
                        <log><defaultqueue>qP2P</defaultqueue></log></statetimeout></max-src-states></max-src-conn></max-src-nodes></max></tagged></tag></id></rule> 

table <shaperlocallan>{   192.168.227.0/24  192.168.1.0/24 }
ShaperLocalLAN = "<shaperlocallan>"
match  out log  from   $ShaperLocalLAN to  ! $ShaperLocalLAN  queue (qP2P)  label "USER_RULE: Shaper - All - Default To Wan P2P"</shaperlocallan></shaperlocallan> 

Thanks
Josh

jimp

It should be working in the version of pf we have on 2.0. It certainly did not work for 1.2.x though.

That said, using negation can usually be worked around by using two rules, a block and a pass, to achieve the same effect in a manner which is easier to read.