Martin Toft wrote:
On Thu, Sep 11, 2008 at 10:07:26AM +0100, Dave Lewney wrote:
Can anyone say why this is syntactically correct ...
I_OUTSIDE="em0"
A_ping = "10.0.0.1/32"
pass out log quick on { $I_OUTSIDE } proto icmp from { $A_ping } to any
icmp-type 0 keep state
... and yet this is not ...
I_OUTSIDE="em0"
table <A_ping> { 10.0.0.1/32 }
pass out log quick on { $I_OUTSIDE } proto icmp from { <A_ping> } to any
icmp-type 0 keep state
...
My guess:
The first rule set works, because pf infers inet from the IPv4 address
10.0.0.1/32 (after having expanded the list { $A_ping } to $A_ping).
The second rule set doesn't work, because pf doesn't know how to infer
inet or inet6 from a table. This is probably OK, since a table can
contain both IPv4 and IPv6 addresses, e.g.:
$ sudo cat /etc/pf.conf
table <testtable> { 127.0.0.1 ::1 }
pass from <testtable> to any
$ sudo pfctl -t testtable -Ts
127.0.0.1
::1
Martin
You're correct. In my IPv4-only config, insertion of "inet" in the rule
fixed it.
Thanks,
Dave
---
Dave Lewney
IT Services, University of Sussex, Brighton BN1 9QT
