[PF] Syntax Error on right grammar? General Help needed.

C

cr4wler

Hey,

first off, you can skip this area if you want to get straight to the question, but it might help with understanding my problem. I have a box set up that will serve as a router later on. It has a wireless nic (configured to serve as an AP, interface wlan0 (ath0) 192.168.1.1), a GBit nic (configured to serve as the wired connection, interface re0 192.168.0.1) and another 100MBit nic (interface dc0, my PPPoE internet connection). Basically what the box is supposed to do, is serve internet to all machines connected to the wlan0 and re0 interfaces. On top of that, the machines are supposed to be able to communicate amongst themselves, no matter which interface they're connected to. I'm having trouble setting up my pf.conf to accomodate all this.

Problem:
I'm getting a Syntax Error for my pf.conf, but i've checked the grammar part on the man page and everything seems to add up.

Here is my pc.conf:

Code: 
ext_if = "tun0"
int_wlan = "wlan0"
int_lan = "re0"
all_int = "{$int_wlan, $int_lan}"
tcp_ports = "{27000:29920, 4662, 4711, 10000:11000}"
udp_ports = "{27000:29920, 16567, 1500:4999}"
dest_pc = "192.168.0.10"

set block-policy return
set loginterface $ext_if
set skip on lo0

scrub in all

rdr pass on $ext_if proto tcp to port $tcp_ports -> $dest_pc
rdr pass on $ext_if proto udp to port $udp_ports -> $dest_pc
nat on $ext_if from !($ext_if) to any -> ($ext_if)

[b]pass on $all_int from $all_int to $all_int[/b]
pass inet proto icmp all icmp-type echoreq

pass out on $ext_if proto tcp all modulate state flags any
pass out on $ext_if proto {udp, icmp} all keep state

The bold line is the on that i get the syntax error for. But according to the grammar it is well formed:
Code: 
pf-rule: action "on" ifspec hosts
action: pass
ifspec: "{" interface-list "}"
hosts: "from" "{" host-list "}" "to" "{" host-list "}"
host-list: host "," host-list
host: address

And according to the man-page:
Addresses can be specified in CIDR notation (matching netblocks), as symbolic host names, interface names or interface group names, or as any of the following keywords: [...]
Click to expand...

I've also tried a few other things like:
Code: 
pass on $all_int from <x> to <x>

where <x> equaled
[LIST=1]
[*]{$int_lan:network, $int_wlan:network}
[*]{192.168.0.0/24, 192.168.1.0/24}
[*]192.168.0.0/23
[/LIST]

Am i missing something? Is this not needed? Also, this is my first pc.conf...
Please check it for anything you might find. Even if that one line might work in the end, it might still not do what i want it to ;-)

Thanks a lot in advance!
 
AFAIK, you can't use interface names in "from" and "to", they have to be hostnames, addresses, or subnet. There is a way to automatically get the subnet an interface belongs to:
Code: 
 $(interface:0)
The :0 part is to differentiate between cloned interfaces.
 
matoatlantis said:
Check this FAQ out: list and macros.

Macros are not expanded within quotes. Change your pf.conf:

from:
Code: 
all_int = "{$int_wlan, $int_lan}"
to:
Code: 
all_int = "{" $int_wlan $int_lan "}"
Click to expand...

Hey, thanks both of you guys, but this one is what actually solved my problem and I actually feel stupid now for not thinking of this before :-D

I changed the line to
Code: 
pass on {$int_lan, $int_wlan} from 192.168.0.0./23 to 192.168.0.0/23

and no more syntax error.

Thanks again!
 
what? somehow it didn't post my earlier reply... but yeah, thanks to you both...
the tip with the macros not being expanded did the trick... i feel kind of stupid for not thinking of it myself though :-D

thanks a lot!

working code:
Code: 
pass on {$int_lan, $int_wlan} from 192.168.0.0/23 to 192.168.0.0/23
 
You can use the syntax you provided too:
Code: 
pass on $all_int from $all_int to $all_int

Given you modified $all_int above.
 
wouldn't it need be:
Code: 
all_int = "{" $int_wlan [b]","[/b] $int_lan "}"
?
but anyways, thanks again and even without the macros it works now and i can still try out different kinds of macros :-)

also: i apparently seem to be unable to set this to solved (probably since i'm new and can't edit my posts ;-)), so if a mod wants to do that, feel free to.
 
No problem.
cr4wler said:
wouldn't it need be:
Code: 
all_int = "{" $int_wlan [b]","[/b] $int_lan "}"
Click to expand...

Nope, it should (or better to say it can) be:

Code: 
all_int = "{" $int_wlan $int_lan "}"
..
..
pass on $all_int from $all_int to $all_int
I rather specify the direction in more obvious way, something you already did in your 'working code'. But you can still use macros for this. I'm guessing you made a typo when specifying wireless and home network with mask 23, as those ranges overlap.

I'm not 100% sure how to close the thread, it was some time ago. I too remember it took me some time to figure it out. :)
 
You must log in or register to reply here.
Back
Top