[netflow-tools] Filtering by IP
Damien Miller
djm at mindrot.org
Tue Jul 19 21:56:01 EST 2005
Pete Bristow wrote:
> Hi
> The filtering in flowd is very reminiscent of pf. I was wondering if it's
> possible to have something along the lines of
heh, that is because the flowd rule parser is based on pf's :)
> internal_traffic = "{ 192.168.0.0/24 192.168.2.0/24 }"
> discard src $internal_traffic dst $internal_traffic
No, that isn't presently supported.
> If not what's the suggested way of doing this is as once you have more
> than a few subnets the rule set grows quite large and I'd imagine quite
> inefficient to run.
It shouldn't matter much - the rules are very fast to run and, compared
to a packet filter, aren't executed nearly as often.
Also, remember that pf internally expands a rule like:
pass in from { 192.20.0.1, 192.20.0.2 } to any
into two separate rules:
pass in from 192.20.0.1 to any
pass in from 192.20.0.2 to any
(though the skip step optimisation speeds things up quite a bit)
-d
More information about the netflow-tools
mailing list