Re: pf anchor strange bihavior

Thu, 12 Apr 2012 19:32:36 -0700 

On Thu, Apr 12, 2012 at 9:25 PM, Michel Blais <mic...@targointernet.com>
wrote:
> Just saw something strange with inline anchor rule and macro :
>
> if I set a anchor rule with a macro inside of it and do pfctl -vnf, only
the
> first value of the macro seem to have the anchor rule following. Every
other
> value will be without bracket and anchor rules.
>
> Exemple :
>
> in the pf.conf
> net="{ em0, em1 }"
> anchor in on $net proto tcp to !<server> port { 22, 8181, 4000, 4001, 4002
}
> {
> B  B  B  B block in quick on $ext_if1 to <public_router>
> B  B  B  B pass B in quick on $ext_if1 to 216.*.*.0/24
> B  B  B  B pass B in quick on $ext_if1 to 216.*.*.0/24
> B  B  B  B pass B in quick on $ext_if2 to 96.*.*.0/24
> B  B  B  B pass B in quick on $ext_if1 to 207.*.*.130
> B  B  B  B pass B in quick on $ext_if1 to 207.*.*.128/29
> B  B  B  B pass B in quick on $ext_if1 to 207.*.*.136/29
> B  B  B  B block in B quick
> B  B  B  B block out quick
> }
>
> pfctl -vnf give me this :
> anchor in on em0 proto tcp from any to ! <server> port = ssh {
> B block drop in quick on em0 from any to <public_antenna>
> B pass in quick on em0 inet from any to 216.*.*.0/24 flags S/SA
> B pass in quick on em0 inet from any to 216.*.*.0/24 flags S/SA
> B pass in quick on em0 inet from any to 207.*.*.130 flags S/SA
> B pass in quick on em0 inet from any to 207.*.*.128/29 flags S/SA
> B pass in quick on em0 inet from any to 207.*.*.136/29 flags S/SA
> B pass in quick on em1 inet from any to 96.*.*.0/24 flags S/SA
> B block drop in quick all
> B block drop out quick all
> }
> anchor in on em0 proto tcp from any to ! <server> port = 8181
> anchor in on em0 proto tcp from any to ! <server> port = 4000
> anchor in on em0 proto tcp from any to ! <server> port = 4001
> anchor in on em0 proto tcp from any to ! <server> port = 4002
> anchor in on em1 proto tcp from any to ! <server> port = ssh
> anchor in on em1 proto tcp from any to ! <server> port = 8181
> anchor in on em1 proto tcp from any to ! <server> port = 4000
> anchor in on em1 proto tcp from any to ! <server> port = 4001
> anchor in on em1 proto tcp from any to ! <server> port = 4002
>
> Is this a limitation of PF, a unanticiped situation or it's just cosmetic ?
> Maybe I'm misinterpreted it.

the lines directly after the braced block also trigger the braced block

it's cosmetic

>
> Thanks
>
> Michel

Reply via email to