I’m using plenty of #Illumos zones, and their #IPF firewall rulesets are mostly similar, so modularization would be very helpful. Unfortunately, #IPF (the firewall in #Illumos) doesn’t support an import directive to include smaller rule fragments to build a complete ruleset.

I’m thinking about using a macro expansion tool to pre-bake the rulesets. I considered m4 and cpp, but maybe you know something better.

Ideally, I’d like to write something like this:

```
ENABLE_INBOUND(tcp, 687)
```

…and have it expand to:

```
pass in quick on $ext_if proto tcp from any to $my_IP port = 687 keep state
```

and something like:

ENABLE_SSH_IN

to insert the necessary rules (simple macro expansion).

What kind of (ideally POSIX) tool would you use for this kind of rule generation?