Date: Fri, 18 Aug 2006 20:26:09 +0200 From: Max Laier <max@love2party.net> To: freebsd-pf@freebsd.org Subject: Re: Syntax Error Message-ID: <200608182026.19006.max@love2party.net> In-Reply-To: <Pine.NEB.4.64.0608181140320.298@glacier.reedmedia.net> References: <44E5E816.1030304@2012.vi> <Pine.NEB.4.64.0608181140320.298@glacier.reedmedia.net>
next in thread | previous in thread | raw e-mail | index | archive | help
--nextPart5645583.fD7C6EE6X4
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline
On Friday 18 August 2006 19:03, Jeremy C. Reed wrote:
> > For some reason the parser likes this syntax in certain places but
> > not in others:
> >
> > 1. # SETTING THE STAGE
> > 2. # macros
> > 3. ext_if=3D"vr0"
> > 4. int_if=3D"lo0"
> > 5. http_ports=3D"80 8080 7080"
> > 6. ssh_ports=3D"22"
> > 7. ftp_ports=3D"21 8021 7021"
> > 8. smtp_ports=3D"25"
> > 9. pop3_ports=3D"110"
> > 10. https_ports=3D"443"
> > 11. imap_ssl_ports=3D"993 143"
> > 12. squid_ports=3D"3128"
> > 13. mysql_ports=3D"3306"
> > 14. email_ports=3D"{" $smtp_ports $pop3_ports "}"
> > 15. all_http_ports=3D"{" $http_ports $https_ports "}"
> > 16. tcp_ports=3D "{" $ssh_ports $ftp_ports $all_http_ports
> > $imap_ssl_ports "}"
>
> I don't think you can put a list inside of another list.
>
> > 17. int_ports=3D"{" $squid_ports $mysql_ports "}"
> > 18. tcp_services=3D"ssh, ftp, http"
> > 20. web_server=3D"202.71.106.119"
> > 21. NoRouteIPs =3D "127.0.0.0/8 192.168.0.0/16 172.16.0.0/12
> > 10.0.0.0/8" 22. shinjiru_ip_addresses=3D"202.71.102.114 202.71.100.126
> > 202.71.106.30 202.71.106.118 202.71.106.188 203.142.1.8"
> > 23. directv_ip_addresses=3D"69.19.0.0/17"
> > 24. shadday_ip_addresses=3D"70.19.0.0/17"
> > 25. ssh_ip_addresses=3D"{" $shinjiru_ip_addresses $directv_ip_addresses
> > $shadday_ip_addresses "}"
>
> I don't know why the list doesn't allow the macro with the /netmask. If
> the macros don't have a /netmask the list works (but not what you
> want).
That's a well-known problem in the pfctl-parser. Patches have been=20
proposed but never made it to the tree - afaik. Look in the archives of=20
this and the original ML for reasons and detailed discussion.
> > server167# pfctl -f /etc/pf.conf && sleep 60 && pfctl -f
> > /etc/pf.conf_BAK /etc/pf.conf:16: syntax error
> > /etc/pf.conf:24: syntax error
> > pfctl: Syntax error in config file: pf rules not loaded
> >
> > It appears to not like my using "$all_http_ports" in line 16 and one
> > of the three in the last line (which the machine chooses to call 24
> > but it is actually referring to 25). Why?
>
> Because you are missing line #19 above so it is off by one.
=2D-=20
/"\ Best regards, | mlaier@freebsd.org
\ / Max Laier | ICQ #67774661
X http://pf4freebsd.love2party.net/ | mlaier@EFnet
/ \ ASCII Ribbon Campaign | Against HTML Mail and News
--nextPart5645583.fD7C6EE6X4
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (FreeBSD)
iD8DBQBE5gZKXyyEoT62BG0RAhj/AJ9cAR1SlSGJzujrOwDLudvzWemxpQCfVqoj
+Ako9WiAkJY+G45XoqtrFeQ=
=ZXX8
-----END PGP SIGNATURE-----
--nextPart5645583.fD7C6EE6X4--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200608182026.19006.max>