Hi,
Thanks for your reply:
The problem with tables is that they only apply to ip addresses. I use
this construction a lot for port ranges and/or icmp types as well, e.g.:
vpn_services = "{ ssh, http, https }"
pass in quick on $vpn_if proto tcp from any to $vpn_ip port $vpn_services
or:
icmp_types = "{ echoreq, echorep, timex, unreach }"
pass inet proto icmp from self to any icmp-type $icmp_types
Best regards,
Sebastiaan van Erk
viq wrote:
On Fri, Jul 16, 2010 at 09:27:16AM +0200, Sebastiaan van Erk wrote:
Hi,
I am a very happy user of PF, so first of all, thanks for the
wonderful software!
I do have a feature request though; consider the following example
from the man page:
ips = "{ 1.2.3.4, 1.2.3.5 }"
pass in proto tcp from any to $ips \
port > 1023 label "$dstaddr:$dstport"
I love the list feature: it allows me to use the same ruleset over
multiple machines, doing the customization in the lists. However, if
you happen to have an empty list:
ips = "{ }"
then you get a parse error. It would be very useful if this would
just work. The expected behavior would the be that pf not generate
any rules at all in this case (one rule for every ip in the list = 0
rules).
How about using a table instead? Can be empty, can be easily modified on
the fly, is faster when you have a long list of IPs, can be stored in
external file.
Best regards,
Sebastiaan van Erk
