pfctl : recursive parsing of groups

for pfctl's parsing of pf and nat rules, a grouping is currently defined as
  group ::= NAME | '{' NAME [ , NAME ...] '}'   How difficult would it be to define it as   group ::= NAME | '{' group [ , group ...] '}'

The reason for this is that I ran into a situation where I defined something like the following:

int = "{ xl1, xl2 }"
ext = " xl0 "

For the most part, this works fine, because I tend to define packets in terms of either coming from the inside or the outside, but when cheking for wormsign, I ran into the following construct:

block in log on { $int, $ext } proto udp from any port 2002 to any port 2002

This, of course, fails because the { $int, $ext } expands to: { { xl1, xl2 }, xl0 }
which is currently illegal.

My workaround was:

either = "{ xl0, xl1, xl2 }"
# apache worm.
block in log on $either proto udp from any port 2002 to any port 2002

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related openbsd.org Links advocacy announce bugs ipv6 misc ports ports-changes security-announce smp source-changes tech Request more information about Pantek

In this specific case I could also just remove the 'on' construct, but I'd prefer to have the IF designation there for completeness. (it also works in case a 4th interface gets added that doesn't actually fit in the group).

-- 
Stephen Samuel +1(604)876-0426                samuel@bcgreen.com
		   
http://www.bcgreen.com/~samuel/
Powerful committed communication, reaching through fear, uncertainty and
doubt to touch the jewel within each person and bring it to life.