netflow tools - Jul 2005 - Filtering by IP

Hi
The filtering in flowd is very reminiscent of pf. I was wondering if
it''s
possible to have something along the lines of

internal_traffic = "{ 192.168.0.0/24 192.168.2.0/24 }"
discard src $internal_traffic dst $internal_traffic

If not what''s the suggested way of doing this is as once you have more
than a few subnets the rule set grows quite large and I''d imagine quite
inefficient to run.

Thanks

Pete

Pete Bristow wrote:
> Hi
> The filtering in flowd is very reminiscent of pf. I was wondering if
it''s
> possible to have something along the lines of
heh, that is because the flowd rule parser is based on pf''s :)
> internal_traffic = "{ 192.168.0.0/24 192.168.2.0/24 }"
> discard src $internal_traffic dst $internal_traffic
No, that isn''t presently supported.
> If not what''s the suggested way of doing this is as once you have
more
> than a few subnets the rule set grows quite large and I''d imagine
quite
> inefficient to run.
It shouldn''t matter much - the rules are very fast to run and, compared
to a packet filter, aren''t executed nearly as often.

Also, remember that pf internally expands a rule like:

pass in from { 192.20.0.1, 192.20.0.2 } to any

into two separate rules:

pass in from 192.20.0.1 to any
pass in from 192.20.0.2 to any

(though the skip step optimisation speeds things up quite a bit)

-d