Re: Interface ranges in pf.conf (i.e. tun[0-10])

Mon, 13 Feb 2006 20:18:42 -0800 

On Tue, Feb 14, 2006 at 04:26:29AM +0100, Tobias Ulmer wrote:
> On Mon, Feb 13, 2006 at 09:28:12PM -0500, kyle wrote:
> > Im having trouble finding out if(I'm sure it does) the pf.conf supports
> > interface ranges and how to implement it. Right now, I have an ugly rule
> > that specifies each interface(tun0, tun1, tun2, etc..). If I somehow missed
> > this in some documentation, please feel free to tell me to STFA or RTFM -
> > but I have checked both the past week and haven't found anything. I also
> > don't have the luxury to just try it out at the moment..Any help is
> > appreciated - thanks!
> 
> I don't know if this works with regular rules, but there is a recent 
> post from Ray Lai where he points out that it's possible to use just 
> interface instead of interface[0-n] [1].

Wow, I'm referenced. =)

> I didn't find this documented in pf.conf(5), but maybe I just should get 
> some sleep...

They are called ``interface groups'', and there are several of them.
ifconfig(8) can show some groups:

lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 33224
        groups: lo 
        inet6 ::1 prefixlen 128
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x6
        inet 127.0.0.1 netmask 0xff000000 
em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        lladdr 00:0a:e4:34:0c:ed
        media: Ethernet autoselect
        status: no carrier
        inet6 fe80::20a:e4ff:fe34:ced%em0 prefixlen 64 scopeid 0x1
wi0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1358
        lladdr 58:de:ad:5a:d7:ab
        groups: egress 
        media: IEEE802.11 autoselect adhoc (DS11)
        status: active
        ieee80211: nwid hyperbl0ck chan 9 -10dBm (auto) 
        inet6 fe80::20a:e4ff:fe34:ced%wi0 prefixlen 64 scopeid 0x2
        inet 192.168.1.4 netmask 0xffffff00 broadcast 192.168.1.255
pflog0: flags=141<UP,RUNNING,PROMISC> mtu 33224
pfsync0: flags=0<> mtu 1460
enc0: flags=0<> mtu 1536

In this example ifconfig(8) shows that I have groups ``lo'' and
``egress'', so in the pf.conf you can stick an interface group
(almost?) anywhere you can stick an interface.  (Actually there's
a missing interface group in this example: ``enc''.  I'm not sure
if it's a bug in ifconfig(8).)  You can also add your own groups
using ifconfig(8).

pf.conf(5) doesn't describe interface groups, but you can find a
description in ifconfig(8) under ``group''.

-Ray-

Reply via email to