Re: ip range with iptables

[mag () bunuel tii matav hu (Magosányi Árpád)]

A levelezőm azt hiszi, hogy Wijaya, J. a következőeket írta:
> I am trying to block yahoo messenger for my LAN, but only on certain ip
> range, how can i do this? i already read some articles that we can't do
> this with iptables, but is there any other way to work around this task??

I have ran into the problem just two days ago. JĂłzsef Kadlecsik made some
vague promise-like statements to the phone about writing a match for the 
ip range case.
Until that I wrote some code to break a range into multiple proper subnets.
You can find the relevant python code attached.
This code is a snippet from a greater project which is not yet ready
for release (a new decision layer for Zorp, which is multilevel secure,
can handle data paths through multiple firewalls, with intelligent
en- and decapsulation, and hides the technicalities from the firewall
admin). What you should know to reuse this code that a 
InetBrick represents a ip and port range ((minip,maxip),(minport,maxport)), 
and that this information is in the brick's "dim" attribute.

I will release the whole thing (GPLed, of course) as soon as it will be 
able to pass a plug through. I hope it will be in the next week.

-- 
GNU GPL: csak tiszta forrásból

Attachment: helpers.py
Description: