Limitations of nested pf macros
Hi, I'm using OpenBSD 7.0. While building a pf ruleset, I found out that trying to nest macros results in syntax errors, unless the original macros were defined with double (nested) quoting (e.g.: "'0.0.0.0/0'" or "\"0.0.0.0/0\""). I've read the man pages and the OpenBSD FAQ, but could not find any internal reference to this. I was able to fix my ruleset thanks to a post on serverfault [1]. Yet, I was not able to nest macros more than one level deep, since triple quoting the macro value also triggers syntax errors. Is this limitation expected ? If so, how can I help to have it documented somewhere ? Thank you, [1]: https://serverfault.com/questions/575876/expanding-a-macro-containing-a-subnet-ip-address-with-prefix-cidr-in-a-list-us publickey - lists@olivarim.com - 0xFD5D9CF2.asc Description: application/pgp-keys signature.asc Description: OpenPGP digital signature
Re : Re: Limitations of nested pf macros
> I think it's expected. This is a simple construct and trying to use > it for something more complicated is likely to run into problems. > Manual pages usually talk about what is supported rather than what > isn't (it's difficult to evaluate all the things somebody might > try and explain why it won't work). > I would recommend writing rules like { $macro } rather than including > { } characters within the macro, so you can switch between single > addresses and lists of addresses easily, and can chain them together > if needed. For something more complicated I'd recommend using tables > instead. Thank you for your answer. I understand. I was reluctant to create tables for lists as small as 2-10 items, but it seems to be the way to go indeed. publickey - lists@olivarim.com - 0xFD5D9CF2.asc Description: application/pgp-keys signature.asc Description: OpenPGP digital signature