On Thu, Oct 20, 2005 at 09:52:28AM -0500, Travis H. wrote: > > > Does packet filter allow you to load external files? More > > > specifically, could one place macro definitions in a separate file, but > > > hook them up to pf.conf so as you reload the pf.conf file you get your > > > macros? Thank you! > > Quoting http://www.openbsd.org/faq/pf/anchors.html: > > The load rule causes pfctl to populate the specified anchor by reading > rules from a text file. The load rule must be placed after the anchor > rule. Example: > > anchor goodguys > load anchor goodguys from "/etc/anchor-goodguys-ssh" > > To add rules to an anchor using pfctl, the following type of command > can be used: > > # echo "pass in proto tcp from 192.0.2.3 to any port 22" \ > | pfctl -a goodguys -f -
Anchors are indeed very useful. I wasn't aware that you can put more than rules in anchors. Very cool. Minus options and macros, you can put everything in anchors which for many people is good enough. > > Another way is to use m4, make, or even a shell/perl script: > > #!/bin/sh > > TMP=`mktemp` > > > > for file in macros norm queue nat rules; do > > cat /etc/pf/$file >> $TMP > > done > > > > pfctl -nf $TMP && mv $TMP /etc/pf.conf > > Or you can pipe it directly, without creating a /tmp race: (Note I said "There is more error checking and what not you should be doing in this script" and TIMTOWTDI :) ) > cat /etc/pf/* | pfctl -nf - > > I highly encourage you to script it... much more flexible. > You can create rules programmatically. Will that work if you have files that aren't ordered correctly? But yes, point taken. -jon
