From owner-freebsd-pf@FreeBSD.ORG Tue Sep 4 19:18:30 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B1D5E16A41A for ; Tue, 4 Sep 2007 19:18:30 +0000 (UTC) (envelope-from tobi@casino.uni-stuttgart.de) Received: from out2.smtp.messagingengine.com (out2.smtp.messagingengine.com [66.111.4.26]) by mx1.freebsd.org (Postfix) with ESMTP id 8D26913C45A for ; Tue, 4 Sep 2007 19:18:30 +0000 (UTC) (envelope-from tobi@casino.uni-stuttgart.de) Received: from compute2.internal (compute2.internal [10.202.2.42]) by out1.messagingengine.com (Postfix) with ESMTP id CF99B26849 for ; Tue, 4 Sep 2007 14:59:12 -0400 (EDT) Received: from heartbeat1.messagingengine.com ([10.202.2.160]) by compute2.internal (MEProxy); Tue, 04 Sep 2007 14:59:12 -0400 X-Sasl-enc: ZKmiarNOGpBzXQKwYIH1GDrIK/LVBd79Q1UZJmLhG2Av 1188932352 Received: from [141.58.158.19] (unknown [141.58.158.19]) by mail.messagingengine.com (Postfix) with ESMTP id 6E5B013C5 for ; Tue, 4 Sep 2007 14:59:12 -0400 (EDT) Message-ID: <46DDAAFB.6040301@casino.uni-stuttgart.de> Date: Tue, 04 Sep 2007 20:59:07 +0200 From: Tobias Ernst User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; de-AT; rv:1.8.1.6) Gecko/20070802 SeaMonkey/1.1.4 MIME-Version: 1.0 To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-15 Content-Transfer-Encoding: 7bit Subject: replacement for nested tables? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 04 Sep 2007 19:18:30 -0000 Hi! I am setting up a bridging firewall on FreeBSD 6.2 that has, among others three interfaces: one for the internal LAN and two demilitarized zones sharing the same subnet. Now I want to have a convenient way to refer to any machine that is not in one of the demilitarized zones. Here is my first shot: # DMZ #1 DMZ1 = "192.168.1.3, 192.168.1.4" table { $DMZ1 } # DMZ #2 DMZ2 = "192.168.1.5, 192.168.1.6" table { $DMZ2 } # The internal lan table { 192.168.1.0/24, !, ! } This fails because nested tables are not supported. Sort of makes sense. My next shot was table { 192.168.1.0/24, !$DMZ1, !$DMZ2 } but this gives the wrong result because the "!" operator is only applied to the first element in "DMZ1". Is there any way to populate with all IP addresses that are /not/ in DMZ1 or DMZ2 without having to explictly repeat the addresses of the machines in each DMZ? I would prefer not to have any redundant "points of editing" in my pf.conf. TIA Tobias