From owner-freebsd-pf@FreeBSD.ORG Wed Apr 27 19:21:48 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9F7D316A4CE for ; Wed, 27 Apr 2005 19:21:48 +0000 (GMT) Received: from smtp.nildram.co.uk (smtp.nildram.co.uk [195.112.4.54]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3FA3D43D5A for ; Wed, 27 Apr 2005 19:21:48 +0000 (GMT) (envelope-from Greg.Hennessy@nviz.net) Received: from gw2.local.net (unknown [62.3.210.251]) by smtp.nildram.co.uk (Postfix) with ESMTP id E1257261CD1 for ; Wed, 27 Apr 2005 20:21:43 +0100 (BST) From: "Greg Hennessy" To: "'Daniel Hartmeier'" Date: Wed, 27 Apr 2005 20:21:35 +0100 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook, Build 11.0.6353 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.1830 In-Reply-To: <20050427185902.GC1264@insomnia.benzedrine.cx> Thread-Index: AcVLWzMFCOxHHDEHR+SaA7T4oHPR2AAAEyTA Message-Id: <20050427192135.06A0F16@gw2.local.net> cc: freebsd-pf@freebsd.org Subject: RE: Considered BETA now [Re: New PF (OpenBSD 3.7 ***ALPHA-preview***)] X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 27 Apr 2005 19:21:48 -0000 Good evening Daniel. > On Wed, Apr 27, 2005 at 07:50:16PM +0100, Greg Hennessy wrote: > > > ~ # pfctl -v -s Anchors -a nbt:nbt > > Anchors have changed significantly in 3.7. Before, there were > only two levels, like "first:second". Now they can be nested > arbitrarily, and the syntax is like that of files within > (sub)directories, like I thought as much, I have tried the 3.7 syntax thinking it might be the cause but it made no difference, hence the mail to Max. /me does a quick tweak. Et voila. # Discard unwanted NBT traffic anchor "nbt/*" load anchor "nbt/nbt" from "/etc/pf-nbt.conf" Pfctl does say its loading the anchor ok ~ # pfctl -vf /etc/pf.conf | grep -i anchor anchor "nbt/*" all Loading anchor nbt/nbt from /etc/pf-nbt.conf However ~ # pfctl -s Anchors nbt ~ # pfctl -s Anchors -a nbt nbt/nbt ~ # pfctl -s Anchors -a "nbt/nbt" ~ # Nothing. Trying it without any nesting doesn't make a difference. # Discard unwanted NBT traffic # anchor nbt load anchor nbt from "/etc/pf-nbt.conf" ~ # pfctl -F a -vf /etc/pf.conf | grep -i anchor rules cleared nat cleared 1 tables deleted. altq cleared 19 states cleared source tracking entries cleared pf: statistics cleared pf: interface flags reset anchor "nbt" all Loading anchor nbt from /etc/pf-nbt.conf ~ # pfctl -v -s Anchors nbt nbt/nbt ~ # pfctl -v -s Anchors nbt nbt/nbt ~ # pfctl -v -s Anchors -a nbt nbt/nbt ~ # pfctl -v -s Anchors -a nbt/nbt ~ # Greg > > "first/second" > "first/second/third" > > Note that ':' is replaced by '/' now. > > The semantics have also changed. Before, only the second > level would actually contain rules. Now every level can > contain rules. There's two forms of 'calls' now, which > evaluate rules in anchors, like > > anchor "first/second" > anchor "first/*" > > The first form (without the '*') will only evaluate the rules > within the second anchor, while the second form will evaluate > all rules within any sub-anchors of first (but not rules in > first itself). > > See the updated pf.conf(5) man page, section ANCHORS for more details. > If you've been using anchors before, you'll likely have to > make some changes, at least to the syntax. > > Daniel >