pf rule macro help ...

Max Laier max at love2party.net
Fri Apr 15 08:44:12 PDT 2005 

On Friday 15 April 2005 17:12, Matthew Grooms wrote:
> Thanks for the response. I can use the macros that contain host
> addresses or host names. The problem occurs when I use a '/' in a macro
> and then nest it inside another macro like so ...
>
> net1 = "192.168.1.0/24"
> net2 = "192.168.2.0/24"
> all_nets = "{" $net1 $net2 "}"
> pass from $all_nets to any

Make this:
net1 = "'192.168.1.0/24'"
net2 = "'192.168.2.0/24'"
all_nets = "{" $net1 $net2 "}"
pass from $all_nets to any

Yes, it's a bit cryptic, but it's nearly impossible to fix the parser without 
a major undertaking.  This should probably go to the FAQ or the manpage even, 
I posted a suggestion to OpenBSD's pf ML a while ago: 
http://marc.theaimsgroup.com/?l=openbsd-pf&m=109725883904534&w=2

If OpenBSD doesn't take it, I'll put it into ours after 3.7 is imported.

> It always causes a syntax error. The pf web page says you can nest
> macros so I don't know why it errors out. If you remove the "/24"
> portion of the net1 & net2 macros it works fine.
>
> I thought it may have had something to do with the fact that I am
> running an AMD64 SMP kernel. So I built an i386 UP box and tested the
> same four lines above ( with and without the net mask ) and got the same
> result.
>
> I know this is a volunteer effort ( and greatly appreciated at that )
> but would it be possible for someone to independently confirm what I am
> seeing and for someone to tell me if this is the intended behavior.
>
> Thanks in advance,
>
> -Matthew
>
> McLone wrote:
> > On 4/14/05, Matthew Grooms <mgrooms at seton.org> wrote:
> >>host1 = "192.168.1.1"
> >>host2 = "192.168.1.2"
> >>all_hosts = "{" $host1 $host2 "}"
> >>... I always get a syntax error on the "all_nets =" line.
> >
> > Bugs me too. AFAIK there's no way to nest macroses.
> > BTW "," isn't needed.
>
> BTW Thanks for the tip.
> _______________________________________________
> freebsd-pf at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-pf
> To unsubscribe, send any mail to "freebsd-pf-unsubscribe at freebsd.org"

-- 
/"\  Best regards,                      | mlaier at freebsd.org
\ /  Max Laier                          | ICQ #67774661
 X   http://pf4freebsd.love2party.net/  | mlaier at EFnet
/ \  ASCII Ribbon Campaign              | Against HTML Mail and News
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-pf/attachments/20050415/44ce81ae/attachment.bin

More information about the freebsd-pf mailing list