[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

"would-be-nice-to-have" feature of the parser in pfctl


because I am lazy and want to dig through my pf.conf as little as possible commenting and uncommenting things, I wished that lists in curly brackets would always work -- even if they are empty, i.e. don't expand to any rules. Example:

hostA = "" fwdtcpA = "1000, 2000:3000" fwdudpA = ""


rdr on egress proto tcp to port { $fwdtcpA } -> $hostA
rdr on egress proto udp to port { $fwdudpA } -> $hostA


pass in on egress proto tcp to $hostA port { $fwdtcpA } \
    flags S/SA keep state label "$nr: pass tcp rdr to $dstaddr:$dstport"
pass in on egress proto udp to $hostA port { $fwdudpA } \
    keep state label "$nr: pass udp rdr to $dstaddr:$dstport"

It would be nice if the UDP-related rules wouldn't cause syntax errors in the case above. I tried to achieve a similar effect with anchors, but those experiments always became way more complex than (un)commenting two lines in pf.conf. A very nasty and ugly workaround would be to have a supposedly empty lists to contain "0" ... but, "eww".

Allowing lists to expand to no rules may or may not be easy, I don't know -- yacc and pfctl's parser is way above my head ... so I'm just dropping this idea here; maybe someone finds this useful as well and is willing to provide a patch? :-P