Re: pf macro behavior change between 4.1 and 4.3?
Stuart Henderson wrote:
> ah, actually I think this one (which only affected numbers in
> a macro; strings worked ok) was already fixed. on -current:
>
> $ pfctl -nvf -
> ssh = "22"
> ssh = "22"
> smtp= "25"
> smtp = "25"
> penguin = "216.39.174.25"
> penguin = "216.39.174.25"
> penguin_ports = "{" $ssh $smtp "}"
> penguin_ports = "{ 22 25 }"
Excellent! great to hear, thanks a bunch for your help.
nate
Re: pf macro behavior change between 4.1 and 4.3?
On 2008-08-03, nate <[EMAIL PROTECTED]> wrote:
> Stuart Henderson wrote:
>> The pfctl-based config parsers were re-unified between 4.2 and
>> 4.3, most things just work but there are some uncommon cases
>> which used to work that don't now.
>
> Ok thanks! Do you happen to know if there are plans to fix the
> uncommon cases at some point? It seems like this particular
> behavior wouldn't be intentional.
ah, actually I think this one (which only affected numbers in
a macro; strings worked ok) was already fixed. on -current:
$ pfctl -nvf -
ssh = "22"
ssh = "22"
smtp= "25"
smtp = "25"
penguin = "216.39.174.25"
penguin = "216.39.174.25"
penguin_ports = "{" $ssh $smtp "}"
penguin_ports = "{ 22 25 }"
Re: pf macro behavior change between 4.1 and 4.3?
2008/8/4 Stuart Henderson <[EMAIL PROTECTED]>: > They're optional, why shouldn't the FAQ use them? > This is pretty clear in the BNF section in pf.conf(5). And http://www.openbsd.org/faq/pf/macros.html says so. I rest my case. :-) Best Martin
Re: pf macro behavior change between 4.1 and 4.3?
On 2008-08-04, Martin Schrvder <[EMAIL PROTECTED]> wrote: > When the pf FAQ has no more optional commas? :-) > http://www.openbsd.org/faq/pf/macros.html has some. They're optional, why shouldn't the FAQ use them? This is pretty clear in the BNF section in pf.conf(5).
Re: pf macro behavior change between 4.1 and 4.3?
* Martin Schrvder <[EMAIL PROTECTED]> [2008-08-04 16:23]:
> 2008/8/4 Henning Brauer <[EMAIL PROTECTED]>:
> > * Vasile Cristescu <[EMAIL PROTECTED]> [2008-08-03 01:41]:
> >> penguin_ports = "{" $ssh $smtp "}" <-- I think it should be like :
> >> penguin_ports = "{" $ssh, $smtp "}"
> >
> > when will people learn that the commas are optional
>
> When the pf FAQ has no more optional commas? :-)
> http://www.openbsd.org/faq/pf/macros.html has some.
so? your point being?
they are optional, not prohibited.
--
Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED]
BS Web Services, http://bsws.de
Full-Service ISP - Secure Hosting, Mail and DNS Services
Dedicated Servers, Rootservers, Application Hosting - Hamburg & Amsterdam
Re: pf macro behavior change between 4.1 and 4.3?
2008/8/4 Henning Brauer <[EMAIL PROTECTED]>:
> * Vasile Cristescu <[EMAIL PROTECTED]> [2008-08-03 01:41]:
>> penguin_ports = "{" $ssh $smtp "}" <-- I think it should be like :
>> penguin_ports = "{" $ssh, $smtp "}"
>
> when will people learn that the commas are optional
When the pf FAQ has no more optional commas? :-)
http://www.openbsd.org/faq/pf/macros.html has some.
Best
Martin
Re: pf macro behavior change between 4.1 and 4.3?
* Vasile Cristescu <[EMAIL PROTECTED]> [2008-08-03 01:41]:
> penguin_ports = "{" $ssh $smtp "}" <-- I think it should be like :
> penguin_ports = "{" $ssh, $smtp "}"
when will people learn that the commas are optional
--
Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED]
BS Web Services, http://bsws.de
Full-Service ISP - Secure Hosting, Mail and DNS Services
Dedicated Servers, Rootservers, Application Hosting - Hamburg & Amsterdam
Re: pf macro behavior change between 4.1 and 4.3?
Stuart Henderson wrote:
> The pfctl-based config parsers were re-unified between 4.2 and
> 4.3, most things just work but there are some uncommon cases
> which used to work that don't now.
Ok thanks! Do you happen to know if there are plans to fix the
uncommon cases at some point? It seems like this particular
behavior wouldn't be intentional.
> For this in particular, you can simplify. Port names are looked
> up from /etc/services; just write "{ ssh, smtp }". The comma is
> optional - see op-list in BNF of pf.conf(5) - but imo makes it
> easier to read (as does removing unnecessary macros).
Nice, that works well. I do have a few ports that are not
in /etc/services but I can hard code them without a recursive
macro, not a big deal. (rather than worry about having to
update /etc/services when I replicate my config between systems)
> pfctl/pf.conf probably could have done with an explicit
> mention, but on plus43.html you find "Improvements in the
> common parser code generator for various OpenBSD daemons"
> which is meant to cover this too.
Ok, good to know.
I appreciate the quick response! thanks a bunch
nate
Re: pf macro behavior change between 4.1 and 4.3?
On Sunday 03 August 2008, nate wrote:
> Hello there ..
>
> I am in the process of building a new OpenBSD 4.3 system in
> parallel to my existing 4.1 system and ran into a little
> glitch with regards to migrating my pf rule set to the new
> system.
>
> It seems that in 4.3, macros that expand to ports with
> variables doesn't work anymore. I get a syntax error. I've
> been using this since about 3.6, so didn't expect it to
> break.
>
> I've stripped the firewall config down to as basic as I can
> make it, to reflect the behavior:
>
> --begin firewall config--
> external = fxp5
> ssh = "22"
> smtp= "25"
> penguin = "216.39.174.25"
> penguin_ports = "{" $ssh $smtp "}"
> pass in quick on $external \
> proto tcp \
> from any\
> to $penguin \
> port $penguin_ports \
> flags S/SA \
> keep state
>
> --end firewall config--
> (my original firewall config is about 370 lines, this is just
> the bare minimum to repro the behavior)
>
> If I try to validate the config with pfctl under 4.1 it
> validates no problem, if I try under 4.3 I get:
>
> pf.conf_small:5: syntax error
> pf.conf_small:10: macro 'penguin_ports' not defined
> pf.conf_small:11: syntax error
>
> I have other macros that have variables in them, which expand
> to IP addresses instead of port numbers and those validate
> no problem in 4.3.
>
> I looked at the web-based changelog of 4.1->4.2 and 4.2->4.3
> but didn't notice anything that might trigger this. I also
> re-checked the FAQ and from what I can tell what I am
> doing is still valid.
>
> any ideas?
>
> thanks
>
> nate
Hello,
penguin_ports = "{" $ssh $smtp "}" <-- I think it should be like :
penguin_ports = "{" $ssh, $smtp "}"
--
Best Regards,
Vasile Cristescu
[demime 1.01d removed an attachment of type application/pgp-signature which had
a name of signature.asc ]
Re: pf macro behavior change between 4.1 and 4.3?
On 2008-08-02, nate <[EMAIL PROTECTED]> wrote:
> I am in the process of building a new OpenBSD 4.3 system in
> parallel to my existing 4.1 system and ran into a little
> glitch with regards to migrating my pf rule set to the new
> system.
The pfctl-based config parsers were re-unified between 4.2 and
4.3, most things just work but there are some uncommon cases
which used to work that don't now.
> ssh = "22"
> smtp= "25"
> penguin_ports = "{" $ssh $smtp "}"
For this in particular, you can simplify. Port names are looked
up from /etc/services; just write "{ ssh, smtp }". The comma is
optional - see op-list in BNF of pf.conf(5) - but imo makes it
easier to read (as does removing unnecessary macros).
> I looked at the web-based changelog of 4.1->4.2 and 4.2->4.3
> but didn't notice anything that might trigger this.
pfctl/pf.conf probably could have done with an explicit
mention, but on plus43.html you find "Improvements in the
common parser code generator for various OpenBSD daemons"
which is meant to cover this too.
Re: pf macro behavior change between 4.1 and 4.3?
On Sunday 03 August 2008, you wrote:
> Vasile Cristescu wrote:
> > Hello,
> > penguin_ports = "{" $ssh $smtp "}" <-- I think it should be like :
> > penguin_ports = "{" $ssh, $smtp "}"
>
> Thanks for the quick reply! I just tried your suggestion but I get
> the same syntax error. The faq doesn't mention commas either(for
> recursive macros):
>
> http://www.openbsd.org/faq/pf/macros.html
>
> thanks again
>
> nate
Hello,
Try this : penguin_ports = "{ $ssh, $smtp }"
--
Best Regards,
Vasile Cristescu
[EMAIL PROTECTED]
[demime 1.01d removed an attachment of type application/pgp-signature which had
a name of signature.asc ]
Re: pf macro behavior change between 4.1 and 4.3?
Vasile Cristescu wrote:
> Hello,
> penguin_ports = "{" $ssh $smtp "}" <-- I think it should be like :
> penguin_ports = "{" $ssh, $smtp "}"
Thanks for the quick reply! I just tried your suggestion but I get
the same syntax error. The faq doesn't mention commas either(for
recursive macros):
http://www.openbsd.org/faq/pf/macros.html
thanks again
nate
pf macro behavior change between 4.1 and 4.3?
Hello there ..
I am in the process of building a new OpenBSD 4.3 system in
parallel to my existing 4.1 system and ran into a little
glitch with regards to migrating my pf rule set to the new
system.
It seems that in 4.3, macros that expand to ports with
variables doesn't work anymore. I get a syntax error. I've
been using this since about 3.6, so didn't expect it to
break.
I've stripped the firewall config down to as basic as I can
make it, to reflect the behavior:
--begin firewall config--
external = fxp5
ssh = "22"
smtp= "25"
penguin = "216.39.174.25"
penguin_ports = "{" $ssh $smtp "}"
pass in quick on $external \
proto tcp \
from any\
to $penguin \
port $penguin_ports \
flags S/SA \
keep state
--end firewall config--
(my original firewall config is about 370 lines, this is just
the bare minimum to repro the behavior)
If I try to validate the config with pfctl under 4.1 it
validates no problem, if I try under 4.3 I get:
pf.conf_small:5: syntax error
pf.conf_small:10: macro 'penguin_ports' not defined
pf.conf_small:11: syntax error
I have other macros that have variables in them, which expand
to IP addresses instead of port numbers and those validate
no problem in 4.3.
I looked at the web-based changelog of 4.1->4.2 and 4.2->4.3
but didn't notice anything that might trigger this. I also
re-checked the FAQ and from what I can tell what I am
doing is still valid.
any ideas?
thanks
nate
