From: Jason McIntyre Subject: Re: pf.conf.5: additional quoting for ranges in lists To: tech@openbsd.org Date: Mon, 9 Dec 2024 07:18:09 +0000 On Mon, Dec 09, 2024 at 06:44:04AM +0000, Quentin Th?bault wrote: > Hi, > > I was setting up my pf firewall and wanted to use range macros in a list macro, and found out additional > quoting was necessary although it was not documented. > > I would like to propose the patch below to add a statement and example to the man page to address that. > > Kind regards, > -- > Quentin TH?BAULT > Defenso | Ing?nierie de cyberd?fense | Associ? > hi. if the method you've shown is really correct, then it's really yucky! i'll leave the technicalities of quoting to someone who knows this stuff better. i have some feedback on your actual diff though: > > Index: share/man/man5/pf.conf.5 > =================================================================== > RCS file: /cvs/src/share/man/man5/pf.conf.5,v > diff -u -p -r1.602 pf.conf.5 > --- share/man/man5/pf.conf.5 15 Apr 2024 14:06:52 -0000 1.602 > +++ share/man/man5/pf.conf.5 6 Dec 2024 13:10:22 -0000 > @@ -91,6 +91,8 @@ Macro names may not be reserved words (f > .Cm in , > .Cm out ) . > Macros are not expanded inside quotes. > +Ranges of network addresses used in macros that will be expanded in lists > +later on must be quoted with additional simple quotes. i think you can remove "later on". the detail isn;t needed, and is inferred from "will be" (in the future) anyway. i think it should say "single" quotes, rather than "simple". we often clarify such details to avoid ambiguity: additional single quotes ('). i dont think that's needed here though. jmc > .Pp > For example: > .Bd -literal -offset indent > @@ -98,6 +100,11 @@ ext_if = "kue0" > all_ifs = "{" $ext_if lo0 "}" > pass out on $ext_if from any to any > pass in on $ext_if proto tcp from any to any port 25 > + > +usr_lan_range = "'192.0.2.0/24'" > +srv_lan_range = "'198.51.100.0 - 198.51.100.255'" > +nat_ranges = \&"{\&" $usr_lan_range $srv_lan_range \&"}\&" > +nat on $ext_if from $nat_ranges to any -> ($ext_if) > .Ed > .Sh PACKET FILTERING > .Xr pf 4