Date: Wed, 27 Apr 2005 20:21:35 +0100 From: "Greg Hennessy" <Greg.Hennessy@nviz.net> To: "'Daniel Hartmeier'" <daniel@benzedrine.cx> Cc: freebsd-pf@freebsd.org Subject: RE: Considered BETA now [Re: New PF (OpenBSD 3.7 ***ALPHA-preview***)] Message-ID: <20050427192135.06A0F16@gw2.local.net> In-Reply-To: <20050427185902.GC1264@insomnia.benzedrine.cx>
next in thread | previous in thread | raw e-mail | index | archive | help
Good evening Daniel. > On Wed, Apr 27, 2005 at 07:50:16PM +0100, Greg Hennessy wrote: > > > ~ # pfctl -v -s Anchors -a nbt:nbt > > Anchors have changed significantly in 3.7. Before, there were > only two levels, like "first:second". Now they can be nested > arbitrarily, and the syntax is like that of files within > (sub)directories, like I thought as much, I have tried the 3.7 syntax thinking it might be the cause but it made no difference, hence the mail to Max. /me does a quick tweak. Et voila. # Discard unwanted NBT traffic anchor "nbt/*" load anchor "nbt/nbt" from "/etc/pf-nbt.conf" Pfctl does say its loading the anchor ok ~ # pfctl -vf /etc/pf.conf | grep -i anchor anchor "nbt/*" all Loading anchor nbt/nbt from /etc/pf-nbt.conf However ~ # pfctl -s Anchors nbt ~ # pfctl -s Anchors -a nbt nbt/nbt ~ # pfctl -s Anchors -a "nbt/nbt" ~ # Nothing. Trying it without any nesting doesn't make a difference. # Discard unwanted NBT traffic # anchor nbt load anchor nbt from "/etc/pf-nbt.conf" ~ # pfctl -F a -vf /etc/pf.conf | grep -i anchor rules cleared nat cleared 1 tables deleted. altq cleared 19 states cleared source tracking entries cleared pf: statistics cleared pf: interface flags reset anchor "nbt" all Loading anchor nbt from /etc/pf-nbt.conf ~ # pfctl -v -s Anchors nbt nbt/nbt ~ # pfctl -v -s Anchors nbt nbt/nbt ~ # pfctl -v -s Anchors -a nbt nbt/nbt ~ # pfctl -v -s Anchors -a nbt/nbt ~ # Greg > > "first/second" > "first/second/third" > > Note that ':' is replaced by '/' now. > > The semantics have also changed. Before, only the second > level would actually contain rules. Now every level can > contain rules. There's two forms of 'calls' now, which > evaluate rules in anchors, like > > anchor "first/second" > anchor "first/*" > > The first form (without the '*') will only evaluate the rules > within the second anchor, while the second form will evaluate > all rules within any sub-anchors of first (but not rules in > first itself). > > See the updated pf.conf(5) man page, section ANCHORS for more details. > If you've been using anchors before, you'll likely have to > make some changes, at least to the syntax. > > Daniel >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050427192135.06A0F16>