Date: Wed, 13 Apr 2005 19:06:16 -0500 From: Matthew Grooms <mgrooms@seton.org> To: freebsd-pf@freebsd.org Subject: pf rule macro help ... Message-ID: <425DB3F8.1070101@seton.org>
next in thread | raw e-mail | index | archive | help
Hello all, I am migrating a largish ruleset from checkpoint to freebsd/pf and am having a problem trying to write some nested macros. The example from the pf website that nests macros seems to work fine ... host1 = "192.168.1.1" host2 = "192.168.1.2" all_hosts = "{" $host1 $host2 "}" ... but if I try to nest two macros that define networks ... net1 = "192.168.1.0/24" net2 = "192.168.2.0/24" all_nets = "{" $net1 "," $net2 "}" ... I always get a syntax error on the "all_nets =" line. What am I doing wrong here? ----- warning, wishful thinking below ----- Also, are there any plans to support nested tables or is there some technical argument against it. Life would be so much easier when trying to organize large groups of networks and hosts. ie ... # Office one networks table <office1-nets> { 10.1.1.0/24, 10.2.1.0/24, etc ... } # Office two networks table <office2-nets> { 10.3.1.0/24, 10.4.1.0/24, etc ... } # all internal networks table <internal-nets> { <office1-nets>, <office2-nets> } # anti spoof block drop in log quick on $ext_if from <internal-nets> to any Writing a small rule set is simple in pf.conf but trying to write a larger script that is easy to read and self documented is kind of difficult. You have to write all comments before or after a multi-line table or macro because of the esc char. ie ... # mail servers 1 - 2 # web servers 1 - 4 # ftp servers 1 - 4 etc ... table <my-dmz-hosts> { \ 10.1.1.1, 10.1.1.2, \ 10.1.1.3, 10.1.1.4, 10.1.1.5, 10.1.1.6, \ 10.1.1.7, 10.1.1.8, 10.1.1.9, 10.1.1.10, \ etc ... } I know you can use dns names and have pf resolve them at load time which does make things a bit easier to read. But then you have to worry about loosing connectivity with your dns server when you need to reload rules. IMHO, it would have been better if pfctl acted more like a c parser where you have a terminating char so that inline comments could be used and escapes would be unnecessary. ie ... table <my-dmz-hosts> { 10.1.1.1, # mail1.blah.org 10.1.1.2, # mail2.blah.org 10.1.1.3, # web1.blah.org 10.1.1.4, # web2.blah.org 10.1.1.5, # web3.blah.org 10.1.1.6, # web4.blah.org 10.1.1.7, # ftp1.blah.org 10.1.1.8, # ftp2.blah.org 10.1.1.9, # ftp3.blah.org 10.1.1.10, # ftp4.blah.org etc ... }; # make sure I can manage my dmz hosts pass quick proto tcp from $admin to <my-dmz-hosts> port ssh; -Matthew
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?425DB3F8.1070101>