Hello there ..
I am in the process of building a new OpenBSD 4.3 system in
parallel to my existing 4.1 system and ran into a little
glitch with regards to migrating my pf rule set to the new
system.
It seems that in 4.3, macros that expand to ports with
variables doesn't work anymore. I get a syntax error. I've
been using this since about 3.6, so didn't expect it to
break.
I've stripped the firewall config down to as basic as I can
make it, to reflect the behavior:
--begin firewall config--
external = fxp5
ssh = "22"
smtp = "25"
penguin = "216.39.174.25"
penguin_ports = "{" $ssh $smtp "}"
pass in quick on $external \
proto tcp \
from any \
to $penguin \
port $penguin_ports \
flags S/SA \
keep state
--end firewall config--
(my original firewall config is about 370 lines, this is just
the bare minimum to repro the behavior)
If I try to validate the config with pfctl under 4.1 it
validates no problem, if I try under 4.3 I get:
pf.conf_small:5: syntax error
pf.conf_small:10: macro 'penguin_ports' not defined
pf.conf_small:11: syntax error
I have other macros that have variables in them, which expand
to IP addresses instead of port numbers and those validate
no problem in 4.3.
I looked at the web-based changelog of 4.1->4.2 and 4.2->4.3
but didn't notice anything that might trigger this. I also
re-checked the FAQ and from what I can tell what I am
doing is still valid.
any ideas?
thanks
nate
