From nobody Fri Jun 6 13:00:02 2025 X-Original-To: dev-commits-src-main@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4bDLyB3kQhz5x5gh; Fri, 06 Jun 2025 13:00:02 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R11" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4bDLyB2FBtz3F48; Fri, 06 Jun 2025 13:00:02 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1749214802; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=979TTSLufTdghDYjQLMlBlhHn72dOm10+G08rHMX5Qk=; b=J+Bifalb1xiYFRyUHiPeEAOUlCdtLtXY8k2FQeNO/gvcFJHO6M3BlJApY73qc96iDkf9uw xOZty+lFOAmS+db5WGc2BqccyiKnMG+2geHANgTXQOZeZ/DZRzkxPTKAYSxnYrcms30ZHL 5vEKNsd8GXY/f+3lL+4TSn9mOwHiDFJB+xF1D5ZgbscL7cRy1G0bb+TunA2w1JIFL+ckZB lmjBuRBk2kxc18CWhbNFGO/qAnB0zejCrOX1EtknZWBqY4tbuzptvFtPrBlBl1d0sNJ6QU Uu3Z+LZeVZDkxNKT/QZl88v1YODT7pIAU5QK7Ry3lcDcovLNXU9GRKBstYTdPg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1749214802; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=979TTSLufTdghDYjQLMlBlhHn72dOm10+G08rHMX5Qk=; b=eu8gco35sgNnLGD7nbsEi9wxoS2bkO8Qr8kEbhDUBy6otA0EvM+ULlGY87NmUVMF7nJVP0 AEU+JbTGtY1tZ4qLoAhVD5rXOsgE9qZ28lA/uOArGZDpEkKRC94fU+gTFdWuldPB5swA+H 8k6uPo/DTjzlUWtfzvnUyyr58JBFTVqze5jS/nCtc9feX3uYTGPMg+nhC0XibD//lEo2fQ 6ZjUnrXtSrqBHJQg/COQ8f0xSYeDk+qoYVEqV2btoLuWCVSq8sN/AvmC2plPezaJK7ariw 3hGsMGaun2X/i1SInXa87pgzE96kGIWC7Y3XN4rC0a53E3IVyA5CU3gjmeFPdQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1749214802; a=rsa-sha256; cv=none; b=IyDuJRDGNgrZioOdhNDdFHLB5QW/PgFlTAhBs8D/Q1YKw8URr06zsY6/0FUJK9snQfJc1s jduwUxxMdTmG7mf1kRTALqhoqtWSso8PulHcOfm0ptvmB0oUO+XhRvjBbNYGRsDuY6fImj Vgq7FVFQUIS0d0FyO4hl72rw7rYzoRty0FY9h3XkOfAj+RhXy0+ivX+L71pdztPlHr2Nyk pVGGL7VLiIaT1Fu8a8bXm58eOZUhFM+HGIzMW8B1PG3qhC89DKYFmAxQW07trQnbnVkaW3 Wz0r0BYOlFhUu9P8qKcsFvS8CqMqu2w6CuWEfHbMs87whNMzukbwx8ci0x8VNQ== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4bDLyB1mJMzwSD; Fri, 06 Jun 2025 13:00:02 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 556D02cj074910; Fri, 6 Jun 2025 13:00:02 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 556D02uC074900; Fri, 6 Jun 2025 13:00:02 GMT (envelope-from git) Date: Fri, 6 Jun 2025 13:00:02 GMT Message-Id: <202506061300.556D02uC074900@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org From: Kristof Provost Subject: git: 6ea237c31eff - main - pf.conf.5: clarify filter evaluation and anchor loading List-Id: Commit messages for the main branch of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-main List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-main@freebsd.org Sender: owner-dev-commits-src-main@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: kp X-Git-Repository: src X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: 6ea237c31effadc739163ccfcf595b1b5e2f0a60 Auto-Submitted: auto-generated The branch main has been updated by kp: URL: https://cgit.FreeBSD.org/src/commit/?id=6ea237c31effadc739163ccfcf595b1b5e2f0a60 commit 6ea237c31effadc739163ccfcf595b1b5e2f0a60 Author: Kristof Provost AuthorDate: 2025-05-29 12:21:45 +0000 Commit: Kristof Provost CommitDate: 2025-06-06 12:59:47 +0000 pf.conf.5: clarify filter evaluation and anchor loading * Clarify that filter rules are evaluated once per packet and interface, not only once per packet. * Clarify that the syntax anchor "name" { ... } both loads and evaluates the anchor, rather than merely loading it. Triggered by questions from Benedikt Neuffer . OK mikeb@ Obtained from: OpenBSD, schwarze , 7528bd0ba2 Sponsored by: Rubicon Communications, LLC ("Netgate") --- share/man/man5/pf.conf.5 | 18 ++++++++++-------- 1 file changed, 10 insertions(+), 8 deletions(-) diff --git a/share/man/man5/pf.conf.5 b/share/man/man5/pf.conf.5 index 26ffef6d0471..a9fd9e8b29e1 100644 --- a/share/man/man5/pf.conf.5 +++ b/share/man/man5/pf.conf.5 @@ -27,7 +27,7 @@ .\" ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE .\" POSSIBILITY OF SUCH DAMAGE. .\" -.Dd May 28, 2025 +.Dd May 29, 2025 .Dt PF.CONF 5 .Os .Sh NAME @@ -703,8 +703,9 @@ and .Ar pass packets based on attributes of their Ethernet (layer 2) header. .Pp -For each packet processed by the packet filter, the filter rules are -evaluated in sequential order, from first to last. +Each time a packet processed by the packet filter comes in on or +goes out through an interface, the filter rules are evaluated in +sequential order, from first to last. The last matching rule decides what action is taken. If no rule matches the packet, the default action is to pass the packet without creating a state. @@ -3063,12 +3064,13 @@ anchor, if any, before finally evaluating the .Ar pass rule. .Pp -Filter rule -.Ar anchors -can also be loaded inline in the ruleset within a brace ('{' '}') delimited -block. +An +.Ar anchor +rule can also contain a filter ruleset in a brace-delimited block. +In that case, no separate loading of rules into the anchor +is required. Brace delimited blocks may contain rules or other brace-delimited blocks. -When anchors are loaded this way the anchor name becomes optional. +When an anchor is populated this way the anchor name becomes optional. .Bd -literal -offset indent anchor "external" on $ext_if { block