From owner-freebsd-pf@FreeBSD.ORG  Tue May 10 05:43:55 2011
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 7E142106566B
	for <freebsd-pf@freebsd.org>; Tue, 10 May 2011 05:43:55 +0000 (UTC)
	(envelope-from fbsdq@peterk.org)
Received: from poshta.pknet.net (poshta.pknet.net [216.241.167.213])
	by mx1.freebsd.org (Postfix) with ESMTP id 3BEB88FC13
	for <freebsd-pf@freebsd.org>; Tue, 10 May 2011 05:43:54 +0000 (UTC)
Received: (qmail 32387 invoked by uid 89); 10 May 2011 05:17:12 -0000
Received: from localhost (HELO pop.pknet.net) (127.0.0.1)
	by poshta.pknet.net with ESMTP; 10 May 2011 05:17:12 -0000
Received: from 216.241.170.11
	(SquirrelMail authenticated user fbsdq@peterk.org)
	by pop.pknet.net with HTTP; Mon, 9 May 2011 23:17:12 -0600
Message-ID: <1dabd775786801bbbd7ac95b100605f9.squirrel@pop.pknet.net>
In-Reply-To: <BANLkTikRMPE_D-yjMByxMpVKrNPdxqFX-w@mail.gmail.com>
References: <BANLkTikRMPE_D-yjMByxMpVKrNPdxqFX-w@mail.gmail.com>
Date: Mon, 9 May 2011 23:17:12 -0600
From: "Peter" <fbsdq@peterk.org>
To: "Oguz Yilmaz" <oguzyilmazlist@gmail.com>
User-Agent: SquirrelMail/1.4.21
MIME-Version: 1.0
Content-Type: text/plain;charset=iso-8859-1
Content-Transfer-Encoding: 8bit
X-Priority: 3 (Normal)
Importance: Normal
Cc: freebsd-pf@freebsd.org
Subject: Re: using =?iso-8859-1?q?=93include=94_like_statement_in_pf=2Econ?=
	=?iso-8859-1?q?f_to_include_some_pa?= rts from other files
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
	\(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 10 May 2011 05:43:55 -0000

> Hi,
>
> I want to be able to include some parts of my pf.conf from other set of
> files.
>
> For example I will include "set timeout" vs like statements in another
> file.
>
> Using anchors and "load anchor from file" statements will not help
> because anchor can not hold such GLOBAL OPTIONS. In case I set those
> macros and set statement in a anchor it will be valid for the anchor
> or not valid at all (set statemenets).
>

Dirty workaround I've used is to build pf.conf from many smaller files.
Using the ipfw numbering style you can get away with having:
000.pf.macros.inc
010.pf.tables.inc
020.pf.options.inc
etc.etc.
100.pf.jail1.inc
110.pf.jail2.inc

Of course they were named appropriately like global/hostA/hostB and then a
simple
":> /etc/pf.conf ;for i in `ls /nfs/pf/$hostname/*inc`; cat $i >>
/etc/pf.conf;done"

This made updating many hosts "common" parts go pretty fast and broke it
up into individual parts - heck even give some friends the ability to
manage their parts of the rules [jails].

]Peter[