Date: Mon, 9 May 2011 23:17:12 -0600 From: "Peter" <fbsdq@peterk.org> To: "Oguz Yilmaz" <oguzyilmazlist@gmail.com> Cc: freebsd-pf@freebsd.org Subject: Re: using =?iso-8859-1?q?=93include=94_like_statement_in_pf=2Econ?= =?iso-8859-1?q?f_to_include_some_pa?= rts from other files Message-ID: <1dabd775786801bbbd7ac95b100605f9.squirrel@pop.pknet.net> In-Reply-To: <BANLkTikRMPE_D-yjMByxMpVKrNPdxqFX-w@mail.gmail.com> References: <BANLkTikRMPE_D-yjMByxMpVKrNPdxqFX-w@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
> Hi, > > I want to be able to include some parts of my pf.conf from other set of > files. > > For example I will include "set timeout" vs like statements in another > file. > > Using anchors and "load anchor from file" statements will not help > because anchor can not hold such GLOBAL OPTIONS. In case I set those > macros and set statement in a anchor it will be valid for the anchor > or not valid at all (set statemenets). > Dirty workaround I've used is to build pf.conf from many smaller files. Using the ipfw numbering style you can get away with having: 000.pf.macros.inc 010.pf.tables.inc 020.pf.options.inc etc.etc. 100.pf.jail1.inc 110.pf.jail2.inc Of course they were named appropriately like global/hostA/hostB and then a simple ":> /etc/pf.conf ;for i in `ls /nfs/pf/$hostname/*inc`; cat $i >> /etc/pf.conf;done" This made updating many hosts "common" parts go pretty fast and broke it up into individual parts - heck even give some friends the ability to manage their parts of the rules [jails]. ]Peter[
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1dabd775786801bbbd7ac95b100605f9.squirrel>