On Wed, Mar 29, 2006 at 03:07:10PM -0500, David Steinbrunner wrote:
> I currently have a working anchor that I would like to split into many
> anchors. The anchor is meant for the rules related to a table so the parent
> anchor defines the table and then the child anchors hold different types of
> blocking and passing rules in each of them. I can't seem to get the rules
> that are in the nested anchors to get evaluated so I have a strong suspicion
> that is because they are not linked up to their parent correctly.
>
> I have been through some many variations of how this could be done that I
> don't even know which has been my best attempt or even if I have had a best
> attempt ;P. Hopefully the above description along with the following
> diagram will be enough for someone to figure out what I am looking for and
> provide a small example of how it is done.
>
> pf.conf
> |
> \-> main_anchor
> |
> |-> first_sub_anchor
> |
> |-> second_sub_anchor
> |
> \-> third_sub_anchor
First, anchors are not evaluated just because they exist. You always
need a 'call' to get them evaluated.
The main ruleset is the only thing that gets evaluated by default.
Hence, you need at least one call from there.
You can either call all your anchors from the main ruleset explicitely,
like
pf.conf
anchor "main_anchor"
anchor "main_anchor/first_sub_anchor"
anchor "main_anchor/second_sub_anchor"
anchor "main_anchor/third_sub_anchor"
or use a wildcard to evaluate all, like
pf.conf
anchor "main_anchor"
anchor "main_anchor/*"
or you can use indirect calls, i.e. have pf.conf just call main_anchor,
and do further calls from there, like
pf.conf
anchor "main_anchor"
main_anchor
anchor "*"
More examples can be found in pf.conf(5) and authpf(8).
Daniel
