2

I’m trying to expand a macro that contains an address with a subnet mask into a list with PF like so:

subnet1 = "192.168.1.0/24"
subnet2 = "10.0.0.0/8"
subnets = "{" $subnet1 $subnet2 "}"

But this results in a syntax error on the last line:

/etc/pf.conf:3: syntax error

It works fine with non-subnet mask addresses:

ip1 = "192.168.1.0"
ip2 = "10.0.0.0"
ips = "{" $ip1 $ip2 "}"

I’m using PF from FreeBSD 10.0 (≈ PF from OpenBSD 4.5). How can I get this to work?

Andrew Marshall
  • 432
  • 4
  • 13

1 Answers1

3

You have to quote the subnet mask addresses again (with single quotes) when defining:

subnet1 = "'192.168.1.0/24'"
subnet2 = "'10.0.0.0/8'"
subnets = "{" $subnet1 $subnet2 "}"

Sadly this doesn’t appear to be documented anywhere.

Andrew Marshall
  • 432
  • 4
  • 13
  • More sadly, this doesn't seem to work: `subnet1="{ '192.168.1.0/24' '192.168.2.0/24' }"` `subnet2 = "'10.0.0.0/8'"` `subnets = "{" $subnet1 $subnet2 "}"`. If I define `subnet1="'192.168.1.0/24' '192.168.2.0/24'"` then it can be nested in another macro but not used in a rule. Any workarounds? – simlev Nov 22 '17 at 16:21
  • Ok, this took me some trial and error: `lan_a="'192.0.1.0/24' '192.0.2.0/24'"` `lan_b="'192.0.3.0/24'"` `lan=$lan_a $lan_b` `pass from { $lan }` `pass from { $lan_a }` `pass from { $lan_b }` `pass from { $lan_a $lan_b }` – simlev Nov 22 '17 at 16:35