I don't see why you couldn't just feed your ruleset through a preprocessor like m4 before passing it to pfctl. It's just text. Make up your own syntactic sugar.
Back in the days before pf, I used to do shell expansions along the lines of myhost="$(hostname)" ipf ... -f /dev/stdin <<EOM pass blah $myhost blah blah... EOM I had a similar routine to do the equivalent of antispoof, looking through each interface, and generating rules to block stuff from that network on the other interfaces. I also set up the dhclient helper script to re-invoke the script when stuff changed, so that I could have firewall rules that were different when I didn't have an IP address versus when I did, and so on. I have attached a general-purpose preprocessor I wrote to this email. It has functionality similar to cpp, but it is language-independent. Tell me if anyone finds it useful, and I'll develop it a little more. -- Security Guru for Hire http://www.lightconsulting.com/~travis/ -><- GPG fingerprint: 9D3F 395A DAC5 5CCC 9066 151D 0A6B 4098 0C55 1484
preprocess
Description: Binary data