Hi,
With other firewall products I like to use groups that contain groups.
In pf I like working with tables. Tables can be negated and rules with
tables are faster than ones with long lists.
I tried to use something like this:
--------------------
$ cat pf-examples.conf
host_a1 = "192.168.10.11"
host_a2 = "192.168.10.12"
a_hosts = $host_a1 $host_a2
host_b1 = "192.168.20.11"
host_b2 = "192.168.20.12"
b_hosts = $host_b1 $host_b2
net_c1 = "192.168.30.0/24"
net_c2 = "192.168.31.0/24"
c_hosts = $net_c1 $net_c2
table <ab_hosts> { $a_hosts $b_hosts }
table <abc_hosts> { $a_hosts $b_hosts $c_hosts }
block log
pass log from <ab_hosts> to any
pass log inet proto icmp from <abc_hosts> to any
--------------------
Unfortunately this does not work with macros containing subnets.
$ pfctl -nf pf-examples.conf
pf-examples.conf:11: syntax error
pf-examples.conf:14: macro 'c_hosts' not defined
pf-examples.conf:14: syntax error
$
Do I miss something regarding the syntax?
Are there other approaches to reach my goal?
Thanks,
Remi
