Hi, On Sat, 09.01.2010 at 13:09:29 -0500, Ted Unangst <ted.unan...@gmail.com> wrote: > On Sat, Jan 9, 2010 at 11:40 AM, Toni Mueller <openbsd-m...@oeko.net> wrote: > > # /sbin/pfctl -n -f pf.conf.test > > pf.conf.test:23: illegal tos value (null)
> Best guess: sbin/pfctl/parse.y thanks, Ted, this worked quite nicely. For the record, in http://www.openbsd.org/cgi-bin/cvsweb/src/sbin/pfctl/parse.y.diff?r1=1.561;r2=1.562 there are two places where there a condition changed to allow a zero as a value, around line 3300 and line 3320, like this: | NUMBER { $$ = $1; - if (!$$ || $$ > 255) { + if ($$ > 255) { yyerror("illegal tos value %s", $1); YYERROR; } If one changes this condition and recompiles pfctl, the value '0x0' (at least) can be used in a rule. I didn't have success using this global rule: match in all tos 3 scrub (set-tos 0x0) That was ineffective for me, but I don't know why. Instead, I had to augment a regular pass rule to make this work: pass quick on { $ext_if0, $ext_if1, $ext_if2, $int_if } all flags any no state tos 3 scrub (set-tos 0x0) The complete ruleset on this router looks like this: # pfctl -s r match in all tos 0x03 scrub (set-tos 0x00) match in all scrub (no-df) pass quick on bge1 all tos 0x03 no state scrub (set-tos 0x00) pass quick on art0 all tos 0x03 no state scrub (set-tos 0x00) pass quick on art1 all tos 0x03 no state scrub (set-tos 0x00) pass quick on fxp0 all tos 0x03 no state scrub (set-tos 0x00) pass in on bge0 all flags S/SA keep state block drop out on bge0 all HTH, --Toni++
