Hi,
because I am lazy and want to dig through my pf.conf as little as
possible commenting and uncommenting things, I wished that lists in
curly brackets would always work -- even if they are empty, i.e. don't
expand to any rules. Example:
hostA = "1.2.3.4"
fwdtcpA = "1000, 2000:3000"
fwdudpA = ""
[...]
rdr on egress proto tcp to port { $fwdtcpA } -> $hostA
rdr on egress proto udp to port { $fwdudpA } -> $hostA
[...]
pass in on egress proto tcp to $hostA port { $fwdtcpA } \
flags S/SA keep state label "$nr: pass tcp rdr to $dstaddr:$dstport"
pass in on egress proto udp to $hostA port { $fwdudpA } \
keep state label "$nr: pass udp rdr to $dstaddr:$dstport"
It would be nice if the UDP-related rules wouldn't cause syntax errors
in the case above. I tried to achieve a similar effect with anchors, but
those experiments always became way more complex than (un)commenting two
lines in pf.conf. A very nasty and ugly workaround would be to have a
supposedly empty lists to contain "0" ... but, "eww".
Allowing lists to expand to no rules may or may not be easy, I don't
know -- yacc and pfctl's parser is way above my head ... so I'm just
dropping this idea here; maybe someone finds this useful as well and is
willing to provide a patch? :-P
Moritz
