On 02-09-2014 16:10, andy wrote:
> Hi,
>
> Hoping this is a pretty dumb question and someone can just shoot me down
> with an instant answer but is there any reason why I can't compare against
> multiple tags?
>
> E.g.
> pass out quick on $if_dmz tagged { T_LAN, T_ENGINEERING, T_WIFI, T_OPS }
> queue (_wan_dflt,_wan_pri) set prio (1,4) keep state
>
> I seem to only be able compare against one tag at a time which seem to be
> quite limiting?
>
> Cheers, Andy.
>
> PS; Yes I am only just starting to get round to setting up policy based
> rules for the first time as part of a big rewrite for a new much larger
> office with *many* VLANs etc..
>
>From the pf.conf man page:
tag <string>
Packets matching this rule will be tagged with the specified
string. The tag acts as an internal marker that can be used to
identify these packets later on. This can be used, for
example,
to provide trust between interfaces and to determine if packets
have been processed by translation rules. Tags are "sticky",
meaning that the packet will be tagged even if the rule is not
the last matching rule. Further matching rules can replace the
tag with a new one but will not remove a previously applied
tag.
A packet is only ever assigned one tag at a time. Tags
take the
same macros as labels (see above).
So, as you see, your packet can only have one tag assigned at any time.
I think your best bet is to use match rules in association with the
tags. But you'll probably not be able to condense them that much (ie,
one rule per tag). In your case, I suggest you break down your pf.conf
into smaller anchors. This will save you time and make your pf rules
much more readable.
Cheers,
--
Giancarlo Razzolini
GPG: 4096R/77B981BC
[demime 1.01d removed an attachment of type application/pkcs7-signature which
had a name of smime.p7s]
