[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: PF '$if:network' syntax with more than one interface IP.



On Tuesday 06 July 2004 11.26, Per-Olov Sjöholm wrote:
> Cedric Berger said:
> > Per-Olov Sjöholm wrote:
> >>Hi !
> >>
> >>I have used "$if:network" and "$if:broadcast" much to avoid specifying
> >> macros
> >>with IP addresses. However... I have recently fixed me a second public IP
> >> on
> >>my internet interface. Now I see the limitations with this and have to go
> >>back and specify the IP:s directly in pf.conf (for the Internet
> >> interface..)
> >>as I don't want both my public IP:s expanded in the ruleset. If I specify
> >>"$if:network" both addresses are expanded....
> >
> > If you're using 3.5, you can do the following:
> >
> >    "$if:0:network" or "$if:0:broadcast"
> >
> > It will also work for dynamic addresses, like:
> >
> >    "($if:0:network)" or "($if:0:broadcast)"
>
> This was very good news.
> Thanks Cedric !
Hi again Cedric.
I haven't had the time to fix with this until now. That's why this thread 
reply comes one months after the last post.
It seems like the $if:0 syntax works ok. Using this I can avoid hardcoded ip:s 
for the interfaces in pf.conf. But I also assumed that I should be able to 
use $if:1 as well when I have a "inet alias" in my hostname.fxp1 file. But 
trying to use anything else but ":0" doesn't work.
Using $if:1 in pf.conf with a verbose reload produce a:
--snip--
 no IP address found for fxp1:1
/etc/pf.conf:202: could not parse host specification
pfctl: Syntax error in config file: pf rules not loaded
--snip--
(The hosts and hostname.fxp1 files are ok. and both names are in the DNS as 
well except for the PTR:s.)
Maybe you know why it's not possible to specify the "inet alias" ip from the 
hostname file with ":1" in pf.conf ? I think it should work. But how ?  
Otherwise this syntax seems to be  useless if only ":0" works.
Thanks in advance
Per-Olov Sjöholm
>
> Regards
> /Per-Olov
>
> >>The question:
> >>Is is possible to fix the interface a'la Solaris where you can specify
> >>interfaces for example "hme0:1", "hme0:2" etc where you have a separate
> >>interface name for each IP on the same physical interface.. Then it would
> >>still be possible to use the syntax above that I really like.
> >
> > No
> > Cedric