PF: Help With Tables vs Macros

[jasonvp]

Hey gang -

I posted this over on the FreeBSD.org forums, and figured I'd post it here, too. I just built a new server running FreeBSD 10.2 and locked it down with pf. After spinning up a bunch of jails (sendmail over here, named over there, a few web servers here and there, etc) I punched holes in the pf.conf to allow traffic to and from them. I did so using macros in the /etc/pf.conf file.

All good.

A few of the macros allow a range of loopbacks to talk to one another so that the jails can actually communicate internally with themselves. Meaning: jail1 can talk to jail1 via its loopback. Jail2 can talk to jail2 via it's loopback, etc.

Code:

# IPv4 and v6 loopbacks
ipv4_loopback = "{ 127.0.0.0/8 }"
ipv6_loopback = "{ ::/64 }"
.
.
.
pass in quick from $ipv4_loopback to $ipv4_loopback
pass in quick from $ipv6_loopback to $ipv6_loopback

And as a test, I have a sendmail milter installed on one of my jails that its sendmail talks to via 127.0.0.1. That works.

I tried to get tricky and convert the macros over to tables, like so:

Code:

# IPv4 and v6 loopbacks
table <ipv4_loopback> const {127.0.0.0/8}
table <ipv6_loopback> const {::/64}
.
.
.
# Local loop to loop allows
pass in quick from <ipv4_loopback> to <ipv4_loopback>
pass in quick from <ipv6_loopback> to <ipv6_loopback>

Once I did that and loaded the new rules, sendmail on that aforementioned jail could no longer talk to its local (127.0.0.1) milter. I even tried to telnet to the milter's port on the jail and no luck. Reverting the pf rules back to macros worked.

So: I clearly don't understand the use of tables vs macros. Any guidance? Calling me an idiot is perfectly acceptable here if I'm doing something drastically stupid.

Thanks!