This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
Show posts MenuQuote from: Monviech (Cedrik) on June 03, 2026, 12:15:39 PMTimeline of the race:
1. client asks DNS
2. dnsmasq resolves / observes result
3. client immediately opens TCP/UDP connection
4. dnsmasq hook updates pf table / alias
5. pf evaluates packet
Quote from: Patrick M. Hausen on June 02, 2026, 08:28:30 PMIf you have an active connection which you intend to block the problem is possibly not that your aliases are not updated in a timely fashion, but that you need to flush the firewall states.Active connections or firewall states are rather unrelated here, no need to touch anything on these. I am just asking for a immediate consistency between parent and nested child alias entries at any point in time with regards to firewall rule matching.
Quote from: techturtle on May 30, 2026, 10:48:08 AMMy case is IPset firewall alias with dnsmasq.
Quote from: Patrick M. Hausen on May 29, 2026, 04:59:05 PMSince the logic cannot easily be changedCan you (or someone else) elaborate, why not / what would need to be done?
QuoteInverting destinations is only allowed for single targets to avoid mis-interpretations
QuoteWithout inversion, the union of destinations is matched = "match if any destination A OR B matches".
With inversion, selected destinations A and B are processed as follows: ¬ ( A ∨ B ) = ¬ A ∧ ¬ B = "match, if destination neither is in A nor in B"