Date: Tue, 04 Sep 2007 20:59:07 +0200 From: Tobias Ernst <tobi@casino.uni-stuttgart.de> To: freebsd-pf@freebsd.org Subject: replacement for nested tables? Message-ID: <46DDAAFB.6040301@casino.uni-stuttgart.de>
next in thread | raw e-mail | index | archive | help
Hi!
I am setting up a bridging firewall on FreeBSD 6.2 that has, among
others three interfaces: one for the internal LAN and two demilitarized
zones sharing the same subnet.
Now I want to have a convenient way to refer to any machine that is not
in one of the demilitarized zones. Here is my first shot:
# DMZ #1
DMZ1 = "192.168.1.3, 192.168.1.4"
table <dmz1_table> { $DMZ1 }
# DMZ #2
DMZ2 = "192.168.1.5, 192.168.1.6"
table <dmz2_table> { $DMZ2 }
# The internal lan
table <int_table> { 192.168.1.0/24, !<dmz1_table>, !<dmz2_table> }
This fails because nested tables are not supported. Sort of makes sense.
My next shot was
table <int_table> { 192.168.1.0/24, !$DMZ1, !$DMZ2 }
but this gives the wrong result because the "!" operator is only applied
to the first element in "DMZ1".
Is there any way to populate <int_table> with all IP addresses that are
/not/ in DMZ1 or DMZ2 without having to explictly repeat the addresses
of the machines in each DMZ?
I would prefer not to have any redundant "points of editing" in my pf.conf.
TIA
Tobias
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?46DDAAFB.6040301>