Hi,

I was setting up my pf firewall and wanted to use range macros in a list macro, and found out additional
quoting was necessary although it was not documented.

I would like to propose the patch below to add a statement and example to the man page to address that.

Kind regards,
--
Quentin THÉBAULT
Defenso | Ingénierie de cyberdéfense | Associé


Index: share/man/man5/pf.conf.5
===================================================================
RCS file: /cvs/src/share/man/man5/pf.conf.5,v
diff -u -p -r1.602 pf.conf.5
--- share/man/man5/pf.conf.5    15 Apr 2024 14:06:52 -0000      1.602
+++ share/man/man5/pf.conf.5    6 Dec 2024 13:10:22 -0000
@@ -91,6 +91,8 @@ Macro names may not be reserved words (f
 .Cm in ,
 .Cm out ) .
 Macros are not expanded inside quotes.
+Ranges of network addresses used in macros that will be expanded in lists
+later on must be quoted with additional simple quotes.
 .Pp
 For example:
 .Bd -literal -offset indent
@@ -98,6 +100,11 @@ ext_if = "kue0"
 all_ifs = "{" $ext_if lo0 "}"
 pass out on $ext_if from any to any
 pass in  on $ext_if proto tcp from any to any port 25
+
+usr_lan_range = "'192.0.2.0/24'"
+srv_lan_range = "'198.51.100.0 - 198.51.100.255'"
+nat_ranges = \&"{\&" $usr_lan_range $srv_lan_range \&"}\&"
+nat on $ext_if from $nat_ranges to any -> ($ext_if)
 .Ed
 .Sh PACKET FILTERING
 .Xr pf 4