Lists
A list allows the specification of multiple similar criteria within a rule.
For example, multiple protocols, port numbers, addresses, etc.
So, instead of writing one filter rule for each IP address that needs to
be blocked, one rule can be written by specifying the IP addresses in a list.
Lists are defined by specifying items within { } brackets.
When pfctl(8) encounters a list
during loading of the ruleset, it creates multiple rules, one for each item
in the list.
For example:
block out on fxp0 from { 192.168.0.1, 10.5.32.6 } to any
This gets expanded to:
block out on fxp0 from 192.168.0.1 to any
block out on fxp0 from 10.5.32.6 to any
Multiple lists can be specified within a rule:
match in on fxp0 proto tcp to port { 22 80 } rdr-to 192.168.0.6
block out on fxp0 proto { tcp udp } from { 192.168.0.1, 10.5.32.6 } \
to any port { ssh https }
The commas between list items are optional.
Lists can also contain nested lists:
trusted = "{ 192.168.1.2 192.168.5.36 }"
pass in inet proto tcp from { 10.10.0.0/24 $trusted } to port 22
Beware of constructs like the following, dubbed "negated lists," which are
a common mistake:
pass in on fxp0 from { 10.0.0.0/8, !10.1.2.3 }
While the intended meaning is usually to match "any address within 10.0.0.0/8,
except for 10.1.2.3," the rule expands to...
pass in on fxp0 from 10.0.0.0/8
pass in on fxp0 from !10.1.2.3
...which matches any possible address.
Instead, a table should be used.
Macros
Macros are user-defined variables that can hold IP addresses, port numbers,
interface names, etc.
Macros can reduce the complexity of a PF ruleset and also make maintaining
it much easier.
Macro names must start with a letter and may contain letters, digits and
underscores.
Macro names cannot be reserved words such as pass,
out or queue.
ext_if = "fxp0"
block in on $ext_if from any to any
This creates a macro named ext_if.
When a macro is referred to after it's been created, its name is preceded
with a $ character.
Macros can also expand to lists, such as:
friends = "{ 192.168.1.1, 10.0.2.5, 192.168.43.53 }"
Macros can be defined recursively.
Since macros are not expanded within quotes the following syntax must be used:
host1 = "192.168.1.1"
host2 = "192.168.1.2"
all_hosts = "{" $host1 $host2 "}"
The macro $all_hosts now expands to 192.168.1.1, 192.168.1.2.
¡®Yes, sir. I felt sure you understood that. She said she had told you.¡¯ "Why, eh,--I--I don't know that my movements need have anything to do with his. Yours, of course,--" "Ah, but if it saved your life!" "No, I'm not," grumbled the Doctor, "I've had enough of this wild-goose chase. And besides, it's nearly dinner time." "I am coming to that," Lawrence said, lighting a fresh cigarette. "As soon as Bruce was in trouble and the plot began to reel off I saw that it was mine. Of course there were large varyings in the details, but the scheme was mine. It was even laid on the same spot as my skeleton story. When I grasped that, I knew quite well that somebody must have stolen my plot." Judy In a coach-house, through which we passed on our way to see the prince's favourite horses with the state carriages¡ªquite commonplace and comfortable, and made at Palitana¡ªwas a chigram,[Pg 68] off which its silk cover was lifted; it was painted bright red and spangled with twinkling copper nails. This carriage, which is hermetically closed when the Ranee goes out in it, was lined with cloth-of-gold patterned with Gohel Sheri's initials within a horseshoe: a little hand-glass on one of the cushions, two boxes of chased silver, the curtains and hangings redolent of otto of roses. "Are you certain of it? You have seen so very little of him, and you may be mistaken." "And your wife?" "I drawed on my man's bundle o' wood," said Gid, "and then dropped a little, so's to git him where he was biggest and make sure o' him." HoME²¨¶àÒ°½áÒÂ×óÏßÊÓƵ
ENTER NUMBET 0016www.jjhgome.com.cn
ignqzs.com.cn
www.lfqhys.com.cn
j5lv9.com.cn
www.lysc0311.org.cn
www.hbyttsc.com.cn
www.hrmsh.com.cn
ngdctl.com.cn
weiyigo.com.cn
www.osmxjy.org.cn