This is probably a case of misplaced expectations, but I can't assign
the same rules to a group of pf anchors, using something like "foo/*".
Rules get attached to the parent anchor.
Minimal working example:
/tmp/pf.conf:
anchor "foo" {
anchor "lan" from 192.168.0.1
anchor "wlan" from 192.168.1.1
}
# pfctl -f /tmp/pf.conf
# pfctl -a '*' -sr
anchor "foo" all {
anchor "lan" inet from 192.168.0.1 to any {
}
anchor "wlan" inet from 192.168.1.1 to any {
}
}
# echo "pass inet proto tcp to port 80" | pfctl -a 'foo/*' -f -
# pfctl -a '*' -sr
anchor "foo" all {
pass inet proto tcp from any to any port = 80 flags S/SA
}
Of course things work fine if you assign them individually:
# pfctl -f /tmp/pf.conf
# echo "pass inet proto tcp to port 80" | pfctl -a 'foo/lan' -f -
# echo "pass inet proto tcp to port 80" | pfctl -a 'foo/wlan' -f -
# pfctl -a '*' -sr
anchor "foo" all {
anchor "lan" inet from 192.168.0.1 to any {
pass inet proto tcp from any to any port = 80 flags S/SA
}
anchor "wlan" inet from 192.168.1.1 to any {
pass inet proto tcp from any to any port = 80 flags S/SA
}
}
Is this the expected behaviour? From reading pf.conf(5) I'd expect the
"foo/*" syntax to work in the same manner for getting ("-sr") or
setting ("-f -") rules, but maybe I'm getting it wrong. Just wondering
if I stepped on a bug.
All the best
Zé
--
