Date: Wed, 20 Apr 2005 14:07:21 -0500 From: Matthew Grooms <mgrooms@shrew.net> To: Max Laier <max@love2party.net> Cc: freebsd-pf@freebsd.org Subject: Re: pf rule macro help ... Message-ID: <4266A869.9030607@shrew.net> In-Reply-To: <200504151743.59628.max@love2party.net> References: <425DB3F8.1070101@seton.org> <451cb30105041416324ada3f27@mail.gmail.com> <425FD9D5.90904@seton.org> <200504151743.59628.max@love2party.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Max,
Thanks again for your help. I haven't dug through the parser code
myself so I don't understand all the issues. It would be much easier if
a ruleset author could use macros to group together networks that get
used across many rules.
For example ...
net_a1 = "'192.168.1.0/24'"
net_a2 = "'192.168.2.0/24'"
net_a = $net_a1 $net_a2
net_b1 = "'192.168.3.0/24'"
net_b2 = "'192.168.4.0/24'"
net_b = $net_b1 $net_b2
nets = $net_a $net_b
pass from { $nets } to any keep state
... when I try to load this ruleset I get the following errors ...
pf.conf:9: syntax error
pf.conf:11: macro 'nets' not defined
pf.conf:11: syntax error
Again, pfctl is more than happy to load this same ruleset if the
"/24" subnet masks are removed. Is there a similar trick to get this
sort of macro setup to work? I tried all sorts of quoted permutations
when defining the second level macros but to no avail. It does make me
chuckle a bit to think that the macro support in a firewall package
would choke on subnet mask notation. Don't get me wrong, this feature is
a great idea and I really want to be able to use it :)
Any help would be greatly appreciated,
-Matthew
Max Laier wrote:
>On Friday 15 April 2005 17:12, Matthew Grooms wrote:
>
>
>>Thanks for the response. I can use the macros that contain host
>>addresses or host names. The problem occurs when I use a '/' in a macro
>>and then nest it inside another macro like so ...
>>
>>net1 = "192.168.1.0/24"
>>net2 = "192.168.2.0/24"
>>all_nets = "{" $net1 $net2 "}"
>>pass from $all_nets to any
>>
>>
>
>Make this:
>net1 = "'192.168.1.0/24'"
>net2 = "'192.168.2.0/24'"
>all_nets = "{" $net1 $net2 "}"
>pass from $all_nets to any
>
>Yes, it's a bit cryptic, but it's nearly impossible to fix the parser without
>a major undertaking. This should probably go to the FAQ or the manpage even,
>I posted a suggestion to OpenBSD's pf ML a while ago:
>http://marc.theaimsgroup.com/?l=openbsd-pf&m=109725883904534&w=2
>
>If OpenBSD doesn't take it, I'll put it into ours after 3.7 is imported.
>
>
>
>>It always causes a syntax error. The pf web page says you can nest
>>macros so I don't know why it errors out. If you remove the "/24"
>>portion of the net1 & net2 macros it works fine.
>>
>>I thought it may have had something to do with the fact that I am
>>running an AMD64 SMP kernel. So I built an i386 UP box and tested the
>>same four lines above ( with and without the net mask ) and got the same
>>result.
>>
>>I know this is a volunteer effort ( and greatly appreciated at that )
>>but would it be possible for someone to independently confirm what I am
>>seeing and for someone to tell me if this is the intended behavior.
>>
>>Thanks in advance,
>>
>>-Matthew
>>
>>McLone wrote:
>>
>>
>>>On 4/14/05, Matthew Grooms <mgrooms@seton.org> wrote:
>>>
>>>
>>>>host1 = "192.168.1.1"
>>>>host2 = "192.168.1.2"
>>>>all_hosts = "{" $host1 $host2 "}"
>>>>... I always get a syntax error on the "all_nets =" line.
>>>>
>>>>
>>>Bugs me too. AFAIK there's no way to nest macroses.
>>>BTW "," isn't needed.
>>>
>>>
>>BTW Thanks for the tip.
>>_______________________________________________
>>freebsd-pf@freebsd.org mailing list
>>http://lists.freebsd.org/mailman/listinfo/freebsd-pf
>>To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org"
>>
>>
>
>
>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4266A869.9030607>