On Tue, 02 Sep 2014 16:28:27 -0300, Giancarlo Razzolini
<grazzol...@gmail.com> wrote:
> On 02-09-2014 16:10, andy wrote:
>> Hi,
>>
>> Hoping this is a pretty dumb question and someone can just shoot me
down
>> with an instant answer but is there any reason why I can't compare
>> against
>> multiple tags?
>>
>> E.g.
>> pass out quick on $if_dmz tagged { T_LAN, T_ENGINEERING, T_WIFI, T_OPS
}
>> queue (_wan_dflt,_wan_pri) set prio (1,4) keep state
>>
>> I seem to only be able compare against one tag at a time which seem to
be
>> quite limiting?
>>
>> Cheers, Andy.
>>
>> PS; Yes I am only just starting to get round to setting up policy based
>> rules for the first time as part of a big rewrite for a new much larger
>> office with *many* VLANs etc..
>>
> From the pf.conf man page:
>
> tag <string>
> Packets matching this rule will be tagged with the
specified
> string. The tag acts as an internal marker that can be
used
> to
> identify these packets later on. This can be used, for
> example,
> to provide trust between interfaces and to determine if
> packets
> have been processed by translation rules. Tags are
"sticky",
> meaning that the packet will be tagged even if the rule is
not
> the last matching rule. Further matching rules can replace
> the
> tag with a new one but will not remove a previously applied
> tag.
> A packet is only ever assigned one tag at a time. Tags
> take the
> same macros as labels (see above).
>
> So, as you see, your packet can only have one tag assigned at any time.
> I think your best bet is to use match rules in association with the
> tags. But you'll probably not be able to condense them that much (ie,
> one rule per tag). In your case, I suggest you break down your pf.conf
> into smaller anchors. This will save you time and make your pf rules
> much more readable.
>
> Cheers,
Hi grazzolini,
Yes I wouldn't expect to be able to apply more than one tag, I'm asking
about checking for multiple matching tags?
I.e pass out of the packet is 'tagged' with XXX or YYY or ZZZ.
Thanks, Andy.
