On 2018-06-06, Johan Mellberg <[email protected]> wrote: > Hi, > > I am working my way through "The Book of Pf" and got hung up on the > example on page 31 of edition 3 (I am reading edition 2 but the > example seems to be identical in edition 3): > > ext_if = "re0" # macro for external interface - use tun0 or pppoe0 for PPPoE > int_if = "re1" # macro for internal interface > localnet = $int_if:network > # ext_if IPv4 address could be dynamic, hence ($ext_if) > match out on $ext_if inet from $localnet nat-to ($ext_if) # NAT, match IPv4 > only > block all > pass from { self, $localnet > > So, what it does is not a problem, I understand that, but that set of > parentheses around $ext_if confuses me. The explanation states that > the IPv4 address could be dynamic (which is clear...) but I look at > that example and as far as I understand, $ext_if should expand to > "re0", not an IP address - right?
with ext_if="re0", $ext_if expands to re0. If this if used in place of an address in a PF rule, re0's address is looked up when pfctl is run and that is used. If "(re0)" is used instead, that lookup is done when the firewall state is created rather than during rule load. So if you have an address which does *not* change, using () is unnecessary overhead at runtime for every new state which has to evaluate this. > Just to test I tried a simple line in my own pf.conf (on OpenBSD 6.3): > > ext_if = "em0" > set skip on $ext_if > > and tested with pfctl -nvf /etc/pf.conf > > That worked so then I put parentheses around $ext_if: > > set skip on ($ext_if) > > and tested again. This time I got a syntax error! () is only for places which take an address. "set skip" takes an "ifspec" instead. The interface name itself is valid but "set skip on (em0)" is not. I realise this is just testing but will mention just in case: you don't usually want to set skip on the external *or* internal interface.
