[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

pf macro expansion problem

To: tech@openbsd.org
Subject: pf macro expansion problem
From: Dan Weeks <danimal@danimal.org>
Date: Sun, 07 Oct 2001 19:26:24 -0400 (EDT)

Howdy tech@,

I'm not sure this is a known issue, but macro expansion does not expand
inside of other macro definitions in pf.conf.  I have looked at parse.y but
don't have any changes for you at this point (my yacc is a bit rusty).  In
a brief conversation with dhartmei@ he pointed that there may not be any
recursion at this point in yacc parse rules.

I do have some samples for you of what I would think would be good to see.
As you will see below the macros in $ssh_ip don't expand out to their
definitions above.  This causes a parse error as one would expect.

This is my sample pf configuration file (macros and 1 rule):
------------%< snip %<----------------------%< snip %<------------
ext_if=rl0
int_if=fxp0
my_net="10.0.0.0/8"
spoofed="{ 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 255.255.255.255/32 }"
work_ip="192.168.1.2"
remote_ip="192.168.4.5"
# allowed ssh ips
ssh_ips="{ $work_ip, $remote_ip, 192.168.16.15, 192.168.28.45 }"
ssh_ips2="{ 192.168.1.2, 192.168.4.5, 192.168.16.15, 192.168.28.45 }"

pass in on $ext_if proto tcp from $ssh_ips to any port ssh keep state
------------%< snip %<----------------------%< snip %<------------

This is the output when it fails:

------------%< snip %<----------------------%< snip %<------------
smudge:: pfctl -n -v -R mypf-rules
ext_if = rl0
int_if = fxp0
my_net = 10.0.0.0/8
spoofed = { 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 255.255.255.255/32 }
work_ip = 192.168.1.2
remote_ip = 192.168.4.5
ssh_ips = { $work_ip, $remote_ip, 192.168.16.15, 192.168.28.45 }
ssh_ips2 = { 192.168.1.2, 192.168.4.5, 192.168.16.15, 192.168.28.45 }
mypf-rules:11: syntax error
pfctl: syntax error in rule file: pf rules not loaded
------------%< snip %<----------------------%< snip %<------------

This is the output when $ssh_ips is changed to $ssh_ips2:
------------%< snip %<----------------------%< snip %<------------
smudge:: pfctl -n -v -R mypf-rules
ext_if = rl0
int_if = fxp0
my_net = 10.0.0.0/8
spoofed = { 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 255.255.255.255/32 }
work_ip = 192.168.1.2
remote_ip = 192.168.4.5
ssh_ips = { $work_ip, $remote_ip, 192.168.16.15, 192.168.28.45 }
ssh_ips2 = { 192.168.1.2, 192.168.4.5, 192.168.16.15, 192.168.28.45 }
@0 pass in on rl0 inet proto tcp from 192.168.28.45/32 to any port = ssh keep state 
@0 pass in on rl0 inet proto tcp from 192.168.16.15/32 to any port = ssh keep state 
@0 pass in on rl0 inet proto tcp from 192.168.4.5/32 to any port = ssh keep state 
@0 pass in on rl0 inet proto tcp from 192.168.1.2/32 to any port = ssh keep state 
------------%< snip %<----------------------%< snip %<------------

Please let me know if you need anything else from me. Thanks.

-dan

-- 
dan weeks - codemonkey - http://danimal.org/

Follow-Ups:
- Re: pf macro expansion problem
  - From: Theo de Raadt <deraadt@cvs.openbsd.org>

Prev by Date: Re: smbfs
Next by Date: Re: pf macro expansion problem
Prev by thread: Re: MCT USB <-> RS232 adapter.
Next by thread: Re: pf macro expansion problem
Index(es):
- Date
- Thread