Having trouble sending this to [EMAIL PROTECTED] list, so I'm sending to misc@ instead ------ I got caught by an interesting situation recently, which I eventually tracked down to the following situation. The anchor in the main ruleset was given like: anchor "test/*" However the anchor was populated using just the name, e.g. like this: load anchor "test" from "/tmp/test-r.anchor" (In reality, it was being loaded from an external program)
The result of this was the contents of the anchor are visible through pfctl, whether '-a "test/*"' or '-a test' are given, however the contents of the anchor were never evaluated. Output of 'pfctl -sA' just gives: test Which doesn't offer any clues as to which syntax is used - "test" or "test/*". Simple test case: ----pf.conf---- nat-anchor "test/*" rdr-anchor "test/*" anchor "test/*" load anchor "test" from "/tmp/test-r.anchor" pass in label "main-ruleset" pass all ----/tmp/test-r.anchor---- pass in quick label "anchor" ----END---- Run with these rules for a moment, and 'pfctl -vsl' / 'pfctl -vsl -a "test"' output gives: main-ruleset 35 72 8646 72 8646 0 0 anchor 0 0 0 0 0 0 0 Ie rule labeled "anchor" is not evaluated. I'm not sure about the best way to handle this. Should "test" not be allowed as an anchor name, if "test/*" is listed as an anchor, or should "test" be evaluated if "test/*" is an anchor? -- Craig
