Just saw something strange with inline anchor rule and macro :
if I set a anchor rule with a macro inside of it and do pfctl -vnf, only
the first value of the macro seem to have the anchor rule following.
Every other value will be without bracket and anchor rules.
Exemple :
in the pf.conf
net="{ em0, em1 }"
anchor in on $net proto tcp to !<server> port { 22, 8181, 4000, 4001,
4002 } {
block in quick on $ext_if1 to <public_router>
pass in quick on $ext_if1 to 216.*.*.0/24
pass in quick on $ext_if1 to 216.*.*.0/24
pass in quick on $ext_if2 to 96.*.*.0/24
pass in quick on $ext_if1 to 207.*.*.130
pass in quick on $ext_if1 to 207.*.*.128/29
pass in quick on $ext_if1 to 207.*.*.136/29
block in quick
block out quick
}
pfctl -vnf give me this :
anchor in on em0 proto tcp from any to ! <server> port = ssh {
block drop in quick on em0 from any to <public_antenna>
pass in quick on em0 inet from any to 216.*.*.0/24 flags S/SA
pass in quick on em0 inet from any to 216.*.*.0/24 flags S/SA
pass in quick on em0 inet from any to 207.*.*.130 flags S/SA
pass in quick on em0 inet from any to 207.*.*.128/29 flags S/SA
pass in quick on em0 inet from any to 207.*.*.136/29 flags S/SA
pass in quick on em1 inet from any to 96.*.*.0/24 flags S/SA
block drop in quick all
block drop out quick all
}
anchor in on em0 proto tcp from any to ! <server> port = 8181
anchor in on em0 proto tcp from any to ! <server> port = 4000
anchor in on em0 proto tcp from any to ! <server> port = 4001
anchor in on em0 proto tcp from any to ! <server> port = 4002
anchor in on em1 proto tcp from any to ! <server> port = ssh
anchor in on em1 proto tcp from any to ! <server> port = 8181
anchor in on em1 proto tcp from any to ! <server> port = 4000
anchor in on em1 proto tcp from any to ! <server> port = 4001
anchor in on em1 proto tcp from any to ! <server> port = 4002
Is this a limitation of PF, a unanticiped situation or it's just
cosmetic ? Maybe I'm misinterpreted it.
Thanks
Michel
