[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

"would-be-nice-to-have" feature of the parser in pfctl



Hi,


because I am lazy and want to dig through my pf.conf as little as possible commenting and uncommenting things, I wished that lists in curly brackets would always work -- even if they are empty, i.e. don't expand to any rules. Example:



hostA = "1.2.3.4" fwdtcpA = "1000, 2000:3000" fwdudpA = ""

[...]

rdr on egress proto tcp to port { $fwdtcpA } -> $hostA
rdr on egress proto udp to port { $fwdudpA } -> $hostA

[...]

pass in on egress proto tcp to $hostA port { $fwdtcpA } \
    flags S/SA keep state label "$nr: pass tcp rdr to $dstaddr:$dstport"
pass in on egress proto udp to $hostA port { $fwdudpA } \
    keep state label "$nr: pass udp rdr to $dstaddr:$dstport"


It would be nice if the UDP-related rules wouldn't cause syntax errors in the case above. I tried to achieve a similar effect with anchors, but those experiments always became way more complex than (un)commenting two lines in pf.conf. A very nasty and ugly workaround would be to have a supposedly empty lists to contain "0" ... but, "eww".


Allowing lists to expand to no rules may or may not be easy, I don't know -- yacc and pfctl's parser is way above my head ... so I'm just dropping this idea here; maybe someone finds this useful as well and is willing to provide a patch? :-P


Moritz