pf macro question

[schmurfy]

Hi,
I came upon a really strange thing i cannot undestand, if you try to feed pfctl with this config file on freebsd 8.0 it will say there is a syntax error on second line:

myvar = "192.168.10.0/24"
lans = "{" $myvar "}"

but this one is perfectly valid for pfctl:

lans = "{ 192.168.10.0/24 }"

and the best is that this one works too (from man page):

ext_if = "kue0"
all_ifs = "{" $ext_if lo0 "}"

can anyone explain me that ?

PS: its is a basic example of my problem in the real case i want to put more than one network in this macro

 

[brd@]

PF does not support nested variables like that.

 

[schmurfy]

Hi,
here is a quote from the manpage of pf.conf from a freebsd 8.0-STABLE:

MACROS
     Macros can be defined that will later be expanded in context.  Macro
     names must start with a letter, and may contain letters, digits and
     underscores.  Macro names may not be reserved words (for example pass,
     in, out).  Macros are not expanded inside quotes.

     For example,

           ext_if = "kue0"
           all_ifs = "{" $ext_if lo0 "}"
           pass out on $ext_if from any to any
           pass in  on $ext_if proto tcp from any to any port 25

how the all_ifs definition differs from what i am trying to do ? it support it perfectly if the var inside contains an interface, why not with a network ?

I already know that this won't work:

all_ifs = "{ $ext_if }"

but from the manpage and documentation this one should (and does when ext_if does not contains a network definition with mask):

all_ifs = "{" $ext_if lo0 "}"

I may have missed something but I really understand your answer here :\

 

[schmurfy]

I found the answer in the mailing lists: http://osdir.com/ml/os.openbsd.pf/2004-10/msg00051.html
The working way of doing it is:

net1 = '"172.16.0.0/12"'
net2 = '"192.168.0.0/16"'
net3 = '"10.0.0.0/8"'

rfc1918 = "{" $net1 $net2 $net3 "}"

block from $rfc1918

I cannot try now but I suppose it will work.