Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Using an alias in a custom filter.inc rule

    Scheduled Pinned Locked Moved Firewalling
    2 Posts 1 Posters 393 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      Andrew453
      last edited by

      I need to use an alias in a custom filter.inc rule, but am getting a syntax error.

      The rule is in the format below:

      pass  out log  on {  em0  } dup-to ( em1 192.168.1.3 ) inet proto tcp  from any to $My_Alias port 80 ridentifier {$increment_tracker()} flags S/SA keep state  label "USER_RULE: Custom Rule 1"
pass  in log  on {  em0  } dup-to ( em1 192.168.1.3 ) inet proto tcp  from $My_Alias to 192.168.1.87 port 80 ridentifier {$increment_tracker()} flags S/SA keep state  label "USER_RULE: Inbound Custom Rule 1"

      ... where My_Alias is defined in the UI. I've looked at other rules in the rules.debug file that is generated, and they also use the $ syntax. The rule works fine if I hard code the IP addresses covered by the alias, but doesn't work if I try to reference the alias itself.

      Grateful for any suggestions as to what is wrong here.

      Alternatively, if there is a way of getting this rule to work from the UI (rather than having to code something into filter.inc) this would be even better. The important bit is the packet duplication (I'm monitoring the traffic by mirroring it to 192.168.1.3).

      Thanks for your help.

      1 Reply Last reply Reply Quote 0
      • A
        Andrew453
        last edited by

        ... I've had a closer look at this to see how the filter.inc file actually works.

        There's a function filter_expand_alias that will build out the alias for you. But it's necessary to layer up the rule as a series of string concatenations rather than trying to use EOD.

        So you end up with:

        	$ipfrules .= "pass  out log  on {  em0  } dup-to ( em1 192.168.1.3 ) inet proto tcp  from any to {";
	$ipfrules .= filter_expand_alias("My_Alias");
	$ipfrules .= "} port 80 ridentifier {$increment_tracker()} flags S/SA keep state  label \"USER_RULE: Outbound Custom Rule\"\n";
	$ipfrules .= "pass  in log  on {  em0  } dup-to ( em1 192.168.1.3 ) inet proto tcp  from {";
	$ipfrules .= filter_expand_alias("My_Alias");
	$ipfrules .= "} to 192.168.1.87 port 80 ridentifier {$increment_tracker()} flags S/SA keep state  label \"USER_RULE: Inbound Custom Rule\"\n";

        I can't see a way to create this sort of rule in the UI though, because there's no free-form text field where you can specify your own options (in my case the "dup-to".

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.