On Tuesday, February 24, 2015 12:35:54 Daniel-Constantin Mierla wrote:
On 24/02/15 00:05, Anthony Messina wrote:
On Monday, February 23, 2015 09:53:08 AM Daniel-Constantin Mierla wrote:
trusted does string comparison for the address field, it is not considered an ip address.
You should use address table instead if you just need matching on any ip address or subnet.
That's interesting. Is there a reason for the string comparison? Reading the README, trusted and address functions look incredibly similar, except trusted can match proto, and the address commands can match ports. What would be the advantage or use case of using either trusted or address?
I am not the developer of that function and haven't used it for a while. IIRC, it was added like 2003-2004 and kept being so. I use address table as it has more features in matching subnets and does pre-compilation of ip addresses, thus is fast.
If someone provides a patch for doing ip-based comparison for trusted table, it will be accepted. The C helper functions are available, so the patch should not be big (ipops module can be used as example of C code for comparing ip addresses). Cheers, Daniel
Understood. I am using the address table as well for that very reason. I just didn't know if it was an *intentional* difference. Thanks. -A