subject:"combining macro with interface modifiers in pf.conf"

Re: combining macro with interface modifiers in pf.conf

2020-01-25 Thread Paul de Weerd

Hi Philipp,

On Sat, Jan 25, 2020 at 12:06:49PM +0100, Philipp Buehler wrote:
| 
| Hey Paul,
| 
| Am 25.01.2020 11:43 schrieb Paul de Weerd:
| > block in on $IntIF inet proto { tcp, udp } from $IntIF:network to !
| > $IntIF:0 port domain
| > block in on $IntIF inet6 proto { tcp, udp } from $IntIF:network to !
| > $IntIF:0 port domain
| 
| I just tested this with "IntIF=vio0" and works on 6.6-stable.
| 
| Is there more in the story, like concat macros, quotes in quotes or
| others along that?

Thanks for your reply, you helped me find the answer.  I obviously
should've published my full ruleset.

[weerd@pom] $ printf "IntIF=\"em0\"\nblock inet from \$IntIF:network to 
\$IntIF:0\n" | pfctl -nvf -
IntIF = "em0"
block drop inet from 192.168.0.0/24 to 192.168.0.149
[weerd@pom] $ printf "IntIF=\" em0 \"\nblock inet from \$IntIF:network to 
\$IntIF:0\n" | pfctl -nvf -
IntIF = " em0 "
stdin:2: syntax error

I have (by now 'had') spaces in my macros, so IntIF gets expanded
quite literally to the value I gave it with spaces (as it should).  As
usual, PEBKAC.

Again, thank you for the clue-by-4.  Everything works as it should and
I have been properly educated.

Paul

-- 
>[<++>-]<+++.>+++[<-->-]<.>+++[<+
+++>-]<.>++[<>-]<+.--.[-]
 http://www.weirdnet.nl/

Re: combining macro with interface modifiers in pf.conf

2020-01-25 Thread Philipp Buehler




Hey Paul,

Am 25.01.2020 11:43 schrieb Paul de Weerd:

block in on $IntIF inet proto { tcp, udp } from $IntIF:network to !
$IntIF:0 port domain
block in on $IntIF inet6 proto { tcp, udp } from $IntIF:network to !
$IntIF:0 port domain


I just tested this with "IntIF=vio0" and works on 6.6-stable.

Is there more in the story, like concat macros, quotes in quotes or 
others along that?


ciao
PS: tested on oldest I could find, 5.5, also works
--
pb

combining macro with interface modifiers in pf.conf

2020-01-25 Thread Paul de Weerd

Hi all,

I'm rewriting some pf.conf rulesets and thought to use interface
modifiers to make them more generic.  Here's an example of what I came
up with:

block in on $IntIF inet proto { tcp, udp } from $IntIF:network to ! $IntIF:0 
port domain
block in on $IntIF inet6 proto { tcp, udp } from $IntIF:network to ! $IntIF:0 
port domain

These rules force users to use the local recursor for DNS lookups.
However, pfctl complains about syntax errors on both lines.  Replacing
the $IntIF:network and $IntIF:0 with em1:network and em1:0 solves the
syntax errors.  From pf.conf(5), it's not quite clear to me that it
isn't allowed to combine macros with interface modifiers.  On macros
it says:

> Macros can be defined that will later be expanded in context.  Macro
> names must start with a letter, digit, or underscore, and may
> contain any of those characters.  Macro names may not be reserved
> words (for example pass, in, out).  Macros are not expanded inside
> quotes.

and on modifiers:

> Interface names, interface group names, and self can have modifiers
> appended:

To me that suggests you can combine a macro with a modifier.  Am I
missing something obvious?  Is there a way to achieve this?

Thanks,

Paul 'WEiRD' de Weerd

-- 
>[<++>-]<+++.>+++[<-->-]<.>+++[<+
+++>-]<.>++[<>-]<+.--.[-]
 http://www.weirdnet.nl/ 


OpenBSD 6.6-current (GENERIC.MP) #603: Mon Jan 13 13:21:42 MST 2020
dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
real mem = 8478527488 (8085MB)
avail mem = 8209100800 (7828MB)
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 3.0 @ 0xec120 (49 entries)
bios0: vendor American Megatrends Inc. version "5.11" date 07/20/2018
acpi0 at bios0: ACPI 5.0
acpi0: sleep states S0 S5
acpi0: tables DSDT FACP APIC FPDT FIDT MCFG SSDT SSDT SSDT UEFI LPIT CSRT
acpi0: wakeup devices SIO1(S0) BRC1(S0) XHC1(S4) HDEF(S4) RP01(S4) PXSX(S4) 
RP02(S4) PXSX(S4) RP03(S4) PXSX(S4) RP04(S4) PXSX(S4)
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: Intel(R) Celeron(R) CPU J3060 @ 1.60GHz, 1600.39 MHz, 06-4c-04
cpu0: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,MOVBE,POPCNT,DEADLINE,AES,RDRAND,NXE,RDTSCP,LONG,LAHF,3DNOWP,PERF,ITSC,TSC_ADJUST,SMEP,ERMS,MD_CLEAR,IBRS,IBPB,STIBP,SENSOR,ARAT,MELTDOWN
cpu0: 1MB 64b/line 16-way L2 cache
cpu0: smt 0, core 0, package 0
mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges
cpu0: apic clock running at 80MHz
cpu0: mwait min=64, max=64, C-substates=0.2.0.0.0.0.3.3, IBE
cpu1 at mainbus0: apid 4 (application processor)
cpu1: Intel(R) Celeron(R) CPU J3060 @ 1.60GHz, 1600.03 MHz, 06-4c-04
cpu1: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,MOVBE,POPCNT,DEADLINE,AES,RDRAND,NXE,RDTSCP,LONG,LAHF,3DNOWP,PERF,ITSC,TSC_ADJUST,SMEP,ERMS,MD_CLEAR,IBRS,IBPB,STIBP,SENSOR,ARAT,MELTDOWN
cpu1: 1MB 64b/line 16-way L2 cache
cpu1: smt 0, core 2, package 0
ioapic0 at mainbus0: apid 1 pa 0xfec0, version 20, 115 pins
acpimcfg0 at acpi0
acpimcfg0: addr 0xe000, bus 0-255
acpiprt0 at acpi0: bus 0 (PCI0)
acpiprt1 at acpi0: bus 1 (RP01)
acpiprt2 at acpi0: bus 2 (RP02)
acpiprt3 at acpi0: bus -1 (RP03)
acpiprt4 at acpi0: bus -1 (RP04)
acpiec0 at acpi0: not present
acpicpu0 at acpi0: C3(10@1000 mwait.1@0x64), C2(10@500 mwait.1@0x58), C1(1000@1 
mwait.1), PSS
acpicpu1 at acpi0: C3(10@1000 mwait.1@0x64), C2(10@500 mwait.1@0x58), C1(1000@1 
mwait.1), PSS
acpipwrres0 at acpi0: ID3C, resource for ISP3
acpipwrres1 at acpi0: CLK0, resource for CAMD
acpipwrres2 at acpi0: CLK0, resource for CAM1
acpipwrres3 at acpi0: CLK1, resource for CAM2, CAM3
acpipwrres4 at acpi0: USBC, resource for XHC1
acpipwrres5 at acpi0: FN00, resource for FAN0
acpitz0 at acpi0: critical temperature is 95 degC
acpicmos0 at acpi0
acpipci0 at acpi0 PCI0: 0x0004 0x0011 0x0001
extent `acpipci0 pcibus' (0x0 - 0xff), flags=0
extent `acpipci0 pciio' (0x0 - 0x), flags=0
 0x70 - 0x77
 0xcf8 - 0xcff
 0x1 - 0x
extent `acpipci0 pcimem' (0x0 - 0x), flags=0
 0x0 - 0x9
 0x10 - 0xafff
 0xe000 - 0x
"BCM2E64" at acpi0 not configured
"BCM4752" at acpi0 not configured
"SMO91D0" at acpi0 not configured
"INTCF1C" at acpi0 not configured
acpibtn0 at acpi0: SLPB
"PNP0C0B" at acpi0 not configured
acpivideo0 at acpi0: GFX0
acpivout0 at acpivideo0: DD1F
cpu0: using VERW MDS workaround
cpu0: Enhanced SpeedStep 1600 MHz: speeds: 1601, 1600, 1520, 1440, 1360, 1280, 
1200, 1120, 1040, 960, 880, 800, 720, 640, 560, 480 MHz

Re: combining macro with interface modifiers in pf.conf

Re: combining macro with interface modifiers in pf.conf

combining macro with interface modifiers in pf.conf

3 matches

Site Navigation

Mail list logo

Footer information