![[OpenBSD]](../../../images/smalltitle.gif)
[上页: 列表与宏]
[索引]
[下页: 包过滤]
PF: 表
目录
介绍
表用来保存 IPv4 和 IPv6 地址组。查询表非常快,而且比列表消耗的内存和处理器时间少。
所以,表用来保存大地址组非常完美,保存 50,000
个地址的表的查询时间比保存 50 个地址的列表稍多。
表可以用于下列场合:
表可以在
pf.conf 中创建或者用
pfctl(8) 。
配置
In pf.conf, tables are created using the table
directive. The following attributes may be specified for each table:
- const - the contents of the table cannot be changed once the
table is created. When this attribute is not specified,
pfctl(8) may be used to add or remove addresses from the
table at any time, even when running with a
securelevel(7) of two or greater.
- persist - causes the kernel to keep the table in memory even
when no rules refer to it. Without this attribute, the kernel will
automatically remove the table when the last rule referencing it is
flushed.
Example:
table <goodguys> { 192.0.2.0/24 }
table <rfc1918> const { 192.168.0.0/16, 172.16.0.0/12, \
10.0.0.0/8 }
table <spammers> persist
block in on fxp0 from { <rfc1918>, <spammers> } to any
pass in on fxp0 from <goodguys> to any
Addresses can also be specified using the negation (or "not") modifier
such as:
table <goodguys> { 192.0.2.0/24, !192.0.2.5 }
The goodguys table will now match all addresses in the
192.0.2.0/24 network except for 192.0.2.5.
Note that table names are always enclosed in < > angled brackets.
Tables can also be populated from text files containing a list of IP
addresses and networks:
table <spammers> persist file "/etc/spammers"
block in on fxp0 from <spammers> to any
The file /etc/spammers would contain a list of IP addresses
and/or CIDR
network blocks, one per line.
Any line beginning with # is treated as a comment and ignored.
pfctl 操作
Tables can be manipulated on the fly by using
pfctl(8). For
instance, to add entries to the <spammers> table created above:
# pfctl -t spammers -T add 218.70.0.0/16
This will also create the <spammers> table if it doesn't already
exist. To list the addresses in a table:
# pfctl -t spammers -T show
The -v argument can also be used with -Tshow to
display statistics for each table entry. To remove addresses from a
table:
# pfctl -t spammers -T delete 218.70.0.0/16
For more information on manipulating tables with pfctl,
please read the
pfctl(8) manpage.
指定地址
In addition to being specified by IP address, hosts may also be
specified by their hostname. When the hostname is resolved to an IP
address, all resulting IPv4 and IPv6 addresses are placed into the
table. IP addresses can also be entered into a table by specifying a
valid interface name or the self keyword.
The table will then contain all IP addresses assigned to that interface
or to the machine (including loopback addresses), respectively.
One limitation when specifying addresses is that 0.0.0.0/0 and
0/0 will not work in tables.
The alternative is to hard code that address or use a
macro.
匹配地址
An address lookup against a table will return the most narrowly matching
entry. This allows for the creation of tables such as:
table <goodguys> { 172.16.0.0/16, !172.16.1.0/24, 172.16.1.100 }
block in on dc0 all
pass in on dc0 from <goodguys> to any
Any packet coming in through dc0 will have its source address matched
against the table <goodguys>:
- 172.16.50.5 - narrowest match is 172.16.0.0/16; packet matches the
table and will be passed
- 172.16.1.25 - narrowest match is !172.16.1.0/24; packet matches an
entry in the table but that entry is negated (uses the "!" modifier);
packet does not match the table and will be blocked
- 172.16.1.100 - exactly matches 172.16.1.100; packet matches the
table and will be passed
- 10.1.4.55 - does not match the table and will be blocked
[上页: 列表与宏]
[索引]
[下页: 包过滤]
![[back]](../../../images/back.gif)
www@openbsd.org
$OpenBSD: tables.html,v 1.1 2008/04/28 09:28:06 tobias Exp $