i'm trying to convert a lot of my ruleset to anchors with interface/direction/etc for speed (kind of like you'd do with iptables and jumping between chains to avoid evaluating unnecessary rules). so far it seems to be working well, and i'm avoiding the evaluation of at least 50 rules on average.
few things i don't understand that are not documented. it seems tags are not passed between anchored rulesets, or from the main ruleset to an anchor. is this true? why? it makes it a pain in the ass i'm also trying to understand tables (i get a lot of whining about namespace conflicts, even though i'm obeying my assumptions about tables in the main ruleset being 'global' and tables in the anchored rulesets only applying to the context of that ruleset) oh yeah, and the pf faq mentions you can tag on anchor rules. 'tagged' doesn't seem to work though. is it my syntax, or is that not possible yet practical examples of my problem: - i tag a nat rule 'foo' in the main ruleset, and i pass tagged 'foo' in an anchored ruleset. it does not match the rule. moving the rule back to the main ruleset causes it to match. - i create a table <foo> in the main ruleset and stick 10.0.0.0/24 in it. i pass in from <foo> in an anchored ruleset. the rule does not match. shouldn't tables in a 'parent' anchor ruleset be global? there are some tables i use everywhere. if i create the table in a bunch of anchor rulesets, it whines about namespace (so i have to rename it each time...?) - i do something like 'anchor bar tagged foo' (for example, to jump to that rule only for packets matching my nat). it doesn't let me. is that not implimented yet? i'd really appreciate any light shed on these issues. i'd also appreciate them being documented properly. tables in the context of the main ruleset and anchored rulesests is never mentioned in the pf.conf man page, nor is the limitation of tags not being passed. oh yeah, using 3.7-release. - steve haslin
