On 2009/04/16 09:19, Jim Rosenberg wrote:
> Sorry this is such a basic question ...
>
> I'm having difficulty understanding just what the difference is between
> saying
>
> anchor "foo"
>
> and
>
> anchor "foo/*"
>
> What exactly goes wrong if you leave off the "/*"? The implication is
> that without the "/*", rules inside the anchor "aren't evaluated" --
> ??? But then, if they aren't evaluated then what does anchor "foo"
> accomplish? How do the filter rules in anchor foo get evaluated if all
> you say is anchor "foo" with no "/*"? If the anchor rules in anchor foo
> *are* evaluated when you say anchor "foo", then why bother with "/*" --
> it just makes the rules harder to read.
>
> Does this have to do with what may already be there in the anchor
> before an anchor rule for foo is seen for the first time?
>
> This is all very confusing. The documentation and FAQ make it seem as
> though anchor "foo" and anchor "foo/*" should be synonymous.
pf.conf(5) is reasonably clear about this, I think...
"ANCHORS
Besides the main ruleset, pfctl(8) can load rulesets into anchor attach-
ment points. An anchor is a container that can hold rules, address ta-
bles, and other anchors."
...
"Anchors may end with the asterisk (`*') character, which signifies that
all anchors attached at that point should be evaluated in the alphabeti-
cal ordering of their anchor name. For example,
anchor "spam/*"
will evaluate each rule in each anchor attached to the spam anchor."
did you find this confusing, and if so, can you suggest any changes we
could make that might help make it more clear? or did you just not find
that part of the documentation?
