Considered BETA now [Re: New PF (OpenBSD 3.7
***ALPHA-preview***)]
Greg Hennessy
Greg.Hennessy at nviz.net
Wed Apr 27 12:21:48 PDT 2005
Good evening Daniel.
> On Wed, Apr 27, 2005 at 07:50:16PM +0100, Greg Hennessy wrote:
>
> > ~ # pfctl -v -s Anchors -a nbt:nbt
>
> Anchors have changed significantly in 3.7. Before, there were
> only two levels, like "first:second". Now they can be nested
> arbitrarily, and the syntax is like that of files within
> (sub)directories, like
I thought as much, I have tried the 3.7 syntax thinking it might be the
cause but it made no difference, hence the mail to Max.
/me does a quick tweak.
Et voila.
# Discard unwanted NBT traffic
anchor "nbt/*"
load anchor "nbt/nbt" from "/etc/pf-nbt.conf"
Pfctl does say its loading the anchor ok
~ # pfctl -vf /etc/pf.conf | grep -i anchor
anchor "nbt/*" all
Loading anchor nbt/nbt from /etc/pf-nbt.conf
However
~ # pfctl -s Anchors
nbt
~ # pfctl -s Anchors -a nbt
nbt/nbt
~ # pfctl -s Anchors -a "nbt/nbt"
~ #
Nothing.
Trying it without any nesting doesn't make a difference.
# Discard unwanted NBT traffic
#
anchor nbt
load anchor nbt from "/etc/pf-nbt.conf"
~ # pfctl -F a -vf /etc/pf.conf | grep -i anchor
rules cleared
nat cleared
1 tables deleted.
altq cleared
19 states cleared
source tracking entries cleared
pf: statistics cleared
pf: interface flags reset
anchor "nbt" all
Loading anchor nbt from /etc/pf-nbt.conf
~ # pfctl -v -s Anchors
nbt
nbt/nbt
~ # pfctl -v -s Anchors
nbt
nbt/nbt
~ # pfctl -v -s Anchors -a nbt
nbt/nbt
~ # pfctl -v -s Anchors -a nbt/nbt
~ #
Greg
>
> "first/second"
> "first/second/third"
>
> Note that ':' is replaced by '/' now.
>
> The semantics have also changed. Before, only the second
> level would actually contain rules. Now every level can
> contain rules. There's two forms of 'calls' now, which
> evaluate rules in anchors, like
>
> anchor "first/second"
> anchor "first/*"
>
> The first form (without the '*') will only evaluate the rules
> within the second anchor, while the second form will evaluate
> all rules within any sub-anchors of first (but not rules in
> first itself).
>
> See the updated pf.conf(5) man page, section ANCHORS for more details.
> If you've been using anchors before, you'll likely have to
> make some changes, at least to the syntax.
>
> Daniel
>
More information about the freebsd-pf
mailing list