Re: pf anchor strange bihavior

Thu, 12 Apr 2012 19:51:02 -0700 

Great.

Thanks Andres for the answer.

Michel

Le 2012-04-12 22:30, Andres Perera a C)crit :

On Thu, Apr 12, 2012 at 9:25 PM, Michel Blais<[email protected]>  wrote:

Just saw something strange with inline anchor rule and macro :

if I set a anchor rule with a macro inside of it and do pfctl -vnf, only the
first value of the macro seem to have the anchor rule following. Every other
value will be without bracket and anchor rules.

Exemple :

in the pf.conf
net="{ em0, em1 }"
anchor in on $net proto tcp to !<server>  port { 22, 8181, 4000, 4001, 4002 }
{
        block in quick on $ext_if1 to<public_router>
        pass  in quick on $ext_if1 to 216.*.*.0/24
        pass  in quick on $ext_if1 to 216.*.*.0/24
        pass  in quick on $ext_if2 to 96.*.*.0/24
        pass  in quick on $ext_if1 to 207.*.*.130
        pass  in quick on $ext_if1 to 207.*.*.128/29
        pass  in quick on $ext_if1 to 207.*.*.136/29
        block in  quick
        block out quick
}

pfctl -vnf give me this :
anchor in on em0 proto tcp from any to !<server>  port = ssh {
  block drop in quick on em0 from any to<public_antenna>
  pass in quick on em0 inet from any to 216.*.*.0/24 flags S/SA
  pass in quick on em0 inet from any to 216.*.*.0/24 flags S/SA
  pass in quick on em0 inet from any to 207.*.*.130 flags S/SA
  pass in quick on em0 inet from any to 207.*.*.128/29 flags S/SA
  pass in quick on em0 inet from any to 207.*.*.136/29 flags S/SA
  pass in quick on em1 inet from any to 96.*.*.0/24 flags S/SA
  block drop in quick all
  block drop out quick all
}
anchor in on em0 proto tcp from any to !<server>  port = 8181
anchor in on em0 proto tcp from any to !<server>  port = 4000
anchor in on em0 proto tcp from any to !<server>  port = 4001
anchor in on em0 proto tcp from any to !<server>  port = 4002
anchor in on em1 proto tcp from any to !<server>  port = ssh
anchor in on em1 proto tcp from any to !<server>  port = 8181
anchor in on em1 proto tcp from any to !<server>  port = 4000
anchor in on em1 proto tcp from any to !<server>  port = 4001
anchor in on em1 proto tcp from any to !<server>  port = 4002

Is this a limitation of PF, a unanticiped situation or it's just cosmetic ?
Maybe I'm misinterpreted it.

the lines directly after the braced block also trigger the braced block

it's cosmetic


Thanks

Michel

Reply via email to