Syntax error in Snapshot pf.conf

2003-02-19 Thread Jason Dixon 
I just finished upgrading a 3.2 -stable box to yesterday's snapshot to
try out the new IP ID feature (where is that documented?).  Anyhoo,
there was one rule in the pf.conf that was fine in 3.2, but the snapshot
is choking on:

pass in on $ext_if proto tcp from $other_net to ($int_if)/24 flags S/SA
modulate state

I assumed it was due to the expansion ($int_if)/24, so I tried with a
single IP, and that fixed it.  What is the new syntax like for cidr
expansion on an interface?  I can't find any examples in the manpage.

TIA,
J.

Re: Syntax error in Snapshot pf.conf

2003-02-19 Thread Henning Brauer 
On Wed, Feb 19, 2003 at 09:51:14PM +0100, Srebrenko Sehic wrote:
 Is there any reason to have 10 ways of writing the same thing? Shouldn't
 we choose a syntax and stick with that?

if you think about it for a minute,
  $interface/24
and
  $interface:network
are not the same.
they CAN expand to teh same thing. one possibility. just one.

$ echo block inet from lo0/24 | pfctl -nvf -
block drop inet from 127.0.0.0/24 to any 

$ echo block inet from lo0:network | pfctl -nvf -
block drop inet from 127.0.0.0/8 to any 

-- 
Henning Brauer, BS Web Services, http://bsws.de
[EMAIL PROTECTED] - [EMAIL PROTECTED]
Unix is very simple, but it takes a genius to understand the simplicity.
(Dennis Ritchie)

Re: Syntax error in Snapshot pf.conf

2003-02-19 Thread kjell 
 if you think about it for a minute,
   $interface/24
 and
   $interface:network
 are not the same.
 they CAN expand to teh same thing. one possibility. just one.


Well true, but in most cases where this is used, the intent is
the latter (the network $interface sits on). I would expect
:network and :broadcast syntax to satisfy just about everyone.

-kj

Re: Syntax error in Snapshot pf.conf

2003-02-19 Thread Srebrenko Sehic 
On Wed, Feb 19, 2003 at 03:08:11PM -0700, [EMAIL PROTECTED] wrote:
  if you think about it for a minute,
$interface/24
  and
$interface:network
  are not the same.
  they CAN expand to teh same thing. one possibility. just one.
 
 
 Well true, but in most cases where this is used, the intent is
 the latter (the network $interface sits on). I would expect
 :network and :broadcast syntax to satisfy just about everyone.

Agree. Flexibility is great, but it just might get too flexible.
KISS.

// haver

Re: Syntax error in Snapshot pf.conf

2003-02-19 Thread Jason Dixon 
On Wed, 2003-02-19 at 17:40, Jason Dixon wrote:
 On Wed, 2003-02-19 at 15:06, Henning Brauer wrote:
   I assumed it was due to the expansion ($int_if)/24, so I tried with a
   single IP, and that fixed it.  What is the new syntax like for cidr
   expansion on an interface?  I can't find any examples in the manpage.
   
   $int_if:network probably
  
  well, of course that works fine, and of course $int_if/24 does too, but
  ($int_if)/24 does _not_.
  did that EVER work correctly?
  off to check pf.c ...
 
 As mentioned previously, yes, this worked with 3.2 -release and
 -stable.  Now that I think about it, the dynamic syntax () isn't even
 necessary on THAT interface, but I can see other instances where it
 might be.  Are you saying that interface macros now support dynamic
 updates by default?  If not, which syntax does?  Forgive me if it's in
 the manpage, I can't find it.

Sorry to self-post, but I did find that the syntax ($int_if:24) does
indeed work.  The manpage mentions...

When the interface name is surrounded by parentheses, the rule is
automatically updated whenever the interface changes its address.  The
ruleset does not need to be reloaded.

I'm probably splitting hairs, but this sounds a little ambiguous with
respect to interface modifiers.  Nothing a little testing can't solve,
but...

If I knew how to correctly create a diff, I'd be happy to submit doc
patches.  {wink}

-J.

Re: Syntax error in Snapshot pf.conf

2003-02-19 Thread Henning Brauer 
On Wed, Feb 19, 2003 at 06:49:43PM -0500, Jason Dixon wrote:
 On Wed, 2003-02-19 at 18:38, Henning Brauer wrote: 
   $int_if:network expands properly, but dynamic () does not work (again,
   passes test mode ok, but fails with a reload).
  WHAT does not work?
  ($interface:network) is not supposed to work.
 Sorry, my mistake.  I expected parse mode to catch it.  :(

yeah, it should.

Index: parse.y
===
RCS file: /cvs/src/sbin/pfctl/parse.y,v
retrieving revision 1.325
diff -u -r1.325 parse.y
--- parse.y 19 Feb 2003 22:00:20 -  1.325
+++ parse.y 20 Feb 2003 00:07:00 -
@@ -1588,6 +1588,10 @@
;
 
 address: '(' STRING ')'{
+   if (ifa_exists($2) == NULL) {
+   yyerror(interface %s does not exist, $2);
+   YYERROR;
+   }
$$ = calloc(1, sizeof(struct node_host));
if ($$ == NULL)
err(1, address: calloc);

-- 
Henning Brauer, BS Web Services, http://bsws.de
[EMAIL PROTECTED] - [EMAIL PROTECTED]
Unix is very simple, but it takes a genius to understand the simplicity.
(Dennis Ritchie)