On 2021-12-30, Marin BERNARD <li...@olivarim.com> wrote:
> While building a pf ruleset, I found out that trying to nest macros
> results in syntax errors, unless the original macros were defined
> with double (nested) quoting (e.g.: "'0.0.0.0/0'" or "\"0.0.0.0/0\"").
>
> I've read the man pages and the OpenBSD FAQ, but could not find any
> internal reference to this. I was able to fix my ruleset thanks to a
> post on serverfault [1]. Yet, I was not able to nest macros more
> than one level deep, since triple quoting the macro value also
> triggers syntax errors.
>
> Is this limitation expected ? If so, how can I help to have it
> documented somewhere ?
I think it's expected. This is a simple construct and trying to use
it for something more complicated is likely to run into problems.
Manual pages usually talk about what is supported rather than what
isn't (it's difficult to evaluate all the things somebody might
try and explain why it won't work).
I would recommend writing rules like { $macro } rather than including
{ } characters within the macro, so you can switch between single
addresses and lists of addresses easily, and can chain them together
if needed. For something more complicated I'd recommend using tables
instead.
