Date: Wed, 23 Aug 2006 12:26:42 -0400 From: beno <zope@2012.vi> To: freebsd-pf@freebsd.org Subject: Re: Another Lists/Macros Question Message-ID: <44EC81C2.5050105@2012.vi> In-Reply-To: <1156345528.1543.134.camel@genius.i.cz> References: <44EB6B18.4030201@2012.vi> <8eea04080608221517rd487cf1v35f5372c1a5bb157@mail.gmail.com> <1156318917.1543.11.camel@genius.i.cz> <44EC60F9.2080102@2012.vi> <1156345528.1543.134.camel@genius.i.cz>
next in thread | previous in thread | raw e-mail | index | archive | help
Michal Mertl wrote: > beno wrote: > >> Michal Mertl wrote: >> >>> Note that no quoting is necessary here and the parser doesn't care much >>> about whitespace. If you run pfctl with "-v" you shall see the macro >>> expansion which should help in understanding the parser and finding out >>> errors. >>> >>> >> That does help! Thanks! Now, throwing that flag with the others (-f and >> -n) I now get the following errors: >> >> set fingerprints /etc/pf.os >> pfctl: /etc/pf.os : No such file or directory >> > > I expect you removed all " characters from the file? Apparently in some > places they matter (e.g. set fingerprints). Maybe the explanation is > that it doesn't require quoting of numbers (including single IP address) > but does require quoting of texts. > This is interesting! No...here's the line I had written: set fingerprints " /etc/pf.os " and *that* doesn't work! Why? The s_p_a_c_e_s!!! (So much for the parser not being particular about spacing, either.) This works: set fingerprints "/etc/pf.os" Go figure! I guess the parser is v_e_r_y particular ;) >> /etc/pf.conf:24: syntax error >> Here's that line, which the parser doesn't parse, preceded by other >> lines in question: >> shinjiru_ip_addresses="202.71.102.114 202.71.100.126 202.71.106.30 >> 202.71.106.118 202.71.106.188 203.142.1.8" >> directv_ip_addresses="{ 69.19.0.0/17 }" >> shadday_ip_addresses="" >> ssh_ip_addresses= $shinjiru_ip_addresses $directv_ip_addresses >> $shadday_ip_addresses >> >> Now, we've been here before, and I was instructed to write the >> directv_ip_address line just so, but now the parser is throwing another >> error based on that very variable yet again! (I have singled it out >> through experimentation.) What doesn't it like this time? >> > > Does shinjiru_ip_addresses macro definition span multiple lines? If so, > you need to fix it by typing \ at the end of the line which continues on > another. > No...it's all in one line. Also this works (changing only the line below): ssh_ip_addresses= $shinjiru_ip_addresses $shadday_ip_addresses So, the problem is *only* the variable $directv_ip_addresses, which I excluded in this example. Again, this matter was supposedly put to rest in an earlier communication with the list, but it has resurrected itself :( > >> /etc/pf.conf:68: syntax error >> pass in quick proto tcp from any to any port = ssh flags S/SA keep state >> (source-track rule, max-src-conn 15, max-src-conn-rate 5/3, overload >> <bruteforce> flush global, if-bound, src.track 3) >> >> when the actual lines I wrote are these: >> > > Does the rule span multiple lines again? > Yes, written as follows: pass in quick inet proto tcp from any to $web_server port $tcp_ports flags S/SA keep state \ (max-src-conn 100, max-src-conn-rate 15/5, overload <bruteforce> flush global) Even when I make it all one line, like this: pass in quick inet proto tcp from any to $web_server port $tcp_ports flags S/SA keep state (max-src-conn 100, max-src-conn-rate 15/5, overload <bruteforce> flush global) it throws a "syntax error" (no further details this time..?) >> Here are my questions concerning this much: >> * Why does the parser render "from any to $web_server" as "from any to >> any"? That's not what I specified! >> > > I don't know what you have specified and what was the result. > I specified this: pass in quick inet proto tcp from any to $web_server port $tcp_ports flags S/SA keep state \ (max-src-conn 100, max-src-conn-rate 15/5, overload <bruteforce> flush global) and this previously: web_server="202.71.106.119" http_ports="80 8080 7080" ssh_ports="22" ftp_ports="21 8021 7021" https_ports="443" imap_ssl_ports="993 143" all_http_ports= $http_ports $https_ports tcp_ports= $ssh_ports $ftp_ports $all_http_ports $imap_ssl_ports so I would have expected it to render this: ...from any to 202.71.106.119 port 80 8080 7080 22 21 8021 7021 443 993 143 flags S/SA... [see below before commenting] > >> * Why does the parser render "port $tcp_ports" as "port = ssh"? That's >> not what I specified, either! >> > > You probably forgot to surround the macro invocation with {} (wrote > "port $macro_with_multiple_ports" instead of "port > { $macro_with_multiple_ports }" (without quotes). > Now, *that* worked! That yielded the result I was expecting, as noted above! > >> * Why does the parser automatically reduce my variables max-src-conn and >> max-src-conn-rate (okay because the proportion is the same?) >> > > Probably not. It works for me. > And me now, with the curly braces. So, the only problem left, thus far, is the one above concerning the macro $directv_ip_addresses Everything else in my initial pf.conf works FINE now! TIA, beno
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?44EC81C2.5050105>