Re: (src_addr) (dst_addr)
On Wed, Apr 20, 2005 at 09:44:59PM +0930, alex wilkinson wrote: EXT_IF=tun0 I want to refer to this interface in parentheses in case tun0's DHCP ip address changes. However, when I use the (...) feature in the following rule for example: block return-rst in log on ($EXT_IF) proto tcp all The 'on interface' part takes an interface as argument, not an IP address. So just use 'on tun0' there, without the parentheses. It doesn't matter whether that interface changes IP addresses or not, it's still the same interface. You must have 'from address' or 'to address' in mind, which take IP addresses as arguments. You can use an interface name in those contexts, which means 'take the (first) address of that interface', or, when put in parentheses, 'dynamically use the (first) address of that interface, even if it changes'. So, ($EXT_IF) applies only to the 'from' and 'to' parts, never to the 'on' part. Daniel
Re: (src_addr) (dst_addr)
On Wed, Apr 20, 2005 at 09:44:59PM +0930, alex wilkinson wrote: Hi all, I have a macro defined such as: EXT_IF=tun0 I want to refer to this interface in parentheses in case tun0's DHCP ip address changes. However, when I use the (...) feature in the following rule for example: block return-rst in log on ($EXT_IF) proto tcp all on $EXT_IF resolves to the interface name, not the IP address. the interface NAME is not dynamic--the IP address is. use the parentheses when the token is expanded to the IP address, like if you had: block return-rst in log on $EXT_IF proto tcp from any to ($EXT_IF) I get /etc/pf.conf:83: syntax error I can't see anything odd about my rule except for tun0 is a virtual interface. Should or can I use 'ppp' for $EXT_INT ? might i recommend a re-read of the PF User's Guide: http://openbsd.org/faq/pf/index.html -j -- Chris: Here, it's a Candy-cane. But don't stick it up your nose, it burns like hell. --Family Guy
