Re: Commenting rule sets
On Tue, Aug 13, 2002 at 07:04:16PM -0700, Paul B. Henson wrote: > If so, I might go ahead and kludge the in line comments into 3.1 (as I > think that would be easier than backporting string concatenation) and then > convert to this syntax for 3.2. The diff below (against 3.1-release src/sbin/pfctl/parse.y) adds support for # comments after \ backslashes and inside string literals, you can use either of the two chunks separately, too. The opposition, especially to the latter, was quite violent, so this won't go into the tree (again). Daniel --- parse.y.origWed Aug 14 08:04:14 2002 +++ parse.y Wed Aug 14 08:07:42 2002 @@ -1438,7 +1438,12 @@ c = getc(fin); if (c == '\\') { - next = getc(fin); + while ((next = getc(fin)) == ' ') + ; + if (next == '#') + do + next = getc(fin); + while (next != '\n' && next != EOF); if (next != '\n') { ungetc(next, fin); return (c); @@ -1539,6 +1544,10 @@ *p = '\0'; break; } + if (c == '#') + do + c = lgetc(fin); + while (c != '\n' && c != EOF); if (c == '\n') continue; if (p + 1 >= buf + sizeof(buf) - 1) {
Re: Commenting rule sets
On Tue, 13 Aug 2002, Henning Brauer wrote: > well, I must admit I okay'd that myself... but string concat is a much > better solution. if I understand the -current source, string concatenation is achieved by simply placing two strings next to each other? foo = "bar" "baz" As such, the style of comments I seek would be implemented as: foonets = "{ 10.0.0.0/24," # subnet blah " 10.0.1.0/24," # important stuff " 10.0.2.0/24 } " # don't forget is that right? If so, I might go ahead and kludge the in line comments into 3.1 (as I think that would be easier than backporting string concatenation) and then convert to this syntax for 3.2. -- Paul B. Henson | (909) 869-3781 | http://www.csupomona.edu/~henson/ Operating Systems and Network Analyst | [EMAIL PROTECTED] California State Polytechnic University | Pomona CA 91768
RE: 2 gateways, route-to probs.
Try Pass out on rl0 route-to ne1:123.123.123.7 from 123.123.123.123 to any keep state Your route-to'ing the reply packets which will have a source address of the mail server. Cheers, Adrian. -Original Message- From: Matijs [mailto:[EMAIL PROTECTED]] Sent: Wednesday, 14 August 2002 7:07 AM To: [EMAIL PROTECTED] Subject: Re: 2 gateways, route-to probs. I tried: pass out on rl0 route-to ne1:123.123.123.7 from any to 123.123.123.123 keep state but it didn't work. Your assumption was correct, the default route is through rl0. Maybe with some more information that comes to mind. It's not possible to run a mailserver on the 234.234.234.234 ip address since port 25 is blocked on that network. I have however, always been running a mailserver on the 123.123.123.123 ip address (which was the interface with the default route before I got my second internet gateway). I would still like to do that, while all of my surfing goes out 234.234.234.234 since that is the ip adres with the biggest bandwidth. Problem now is that, from the outside, nobody can connect to 123.123.123.123 because replies get sent out through the default route, which is through rl0, with a different ip address. Does this help? Grts. Matijs - Original Message - From: "Daniel Hartmeier" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Tuesday, August 13, 2002 10:50 PM Subject: Re: 2 gateways, route-to probs. > On Tue, Aug 13, 2002 at 10:25:19PM +0200, Matijs wrote: > > > pass out on ne1 route-to ne1:123.123.123.7 from any to > > 123.123.123.123 keep > > state > > > > ... but this doesn't work. Pings to 123.123.123.123 get 'replied' to through > > the rl0 (234.234.234.234) interface. > > I assume your default route is through rl0. The problem is that the > above rule does only apply to packets that go out through ne1, which > the packets in question don't (due to the default route). > > Try > > pass out on rl0 route-to ne1:123.123.123.7 ... > > instead. > > Daniel