On Thu, Sep 11, 2008 at 10:07:26AM +0100, Dave Lewney wrote:
> Can anyone say why this is syntactically correct ...
>
> I_OUTSIDE="em0"
> A_ping = "10.0.0.1/32"
> pass out log quick on { $I_OUTSIDE } proto icmp from { $A_ping } to any
> icmp-type 0 keep state
>
> ... and yet this is not ...
>
> I_OUTSIDE="em0"
> table <A_ping> { 10.0.0.1/32 }
> pass out log quick on { $I_OUTSIDE } proto icmp from { <A_ping> } to any
> icmp-type 0 keep state
>
> ...
>
> pfctl -n -f /tmp/test1.conf
> /tmp/test1.conf:3: must indicate address family with icmp-type/code
> /tmp/test1.conf:3: skipping rule due to errors
> /tmp/test1.conf:3: rule expands to no valid combination
>
>
> Release is 4.2 GENERIC#375 i386
>
> Thanks,
> Dave
> ---
> Dave Lewney
> IT Services, University of Sussex, Brighton BN1 9QT
My guess:
The first rule set works, because pf infers inet from the IPv4 address
10.0.0.1/32 (after having expanded the list { $A_ping } to $A_ping).
The second rule set doesn't work, because pf doesn't know how to infer
inet or inet6 from a table. This is probably OK, since a table can
contain both IPv4 and IPv6 addresses, e.g.:
$ sudo cat /etc/pf.conf
table <testtable> { 127.0.0.1 ::1 }
pass from <testtable> to any
$ sudo pfctl -t testtable -Ts
127.0.0.1
::1
Martin
