>From pf.conf(5):
The anchor can also be populated by adding a load anchor rule after the
anchor rule. When pfctl(8) loads pf.conf, it will also load all the
rules from the file /etc/pf-spam.conf into the anchor.
anchor spam
load anchor spam from "/etc/pf-spam.conf"
This is too much verbiage for nothing since we have `include'.
parse.y history shows
revision 1.650
date: 2016/06/16 15:46:20; author: henning; state: Exp; lines: +1 -0;
allow include in inline anchors
with this,
anchor foo {
include "/path/to/rules"
}
works and "load anchor" is obsolete, to be removed somewhen later after
release.
co-production with reky at bsdcan, ok reyk mikeb benno sasha
Like this:
anchor spam {
include /etc/pf-spam.conf
}
OK to remove these duplicate semantics? Below is a diff for pfctl and
pf.conf(5).
pfctl regress still passes when I remove the `load anchor' tests and
adjust test 103 accordingly.
I'll send a separate regress diff after consense and OKs but before
committing. Same for our pf FAQ.
current.html with instructions to switch to the simpler syntax will
follow, as well.
Feedback? OK?
Index: sbin/pfctl/parse.y
===================================================================
RCS file: /cvs/src/sbin/pfctl/parse.y,v
retrieving revision 1.688
diff -u -p -r1.688 parse.y
--- sbin/pfctl/parse.y 15 Nov 2018 03:22:01 -0000 1.688
+++ sbin/pfctl/parse.y 25 Dec 2018 15:37:37 -0000
@@ -394,15 +394,6 @@ int map_tos(char *string, int *);
int rdomain_exists(u_int);
int filteropts_to_rule(struct pf_rule *, struct filter_opts *);
-TAILQ_HEAD(loadanchorshead, loadanchors)
- loadanchorshead = TAILQ_HEAD_INITIALIZER(loadanchorshead);
-
-struct loadanchors {
- TAILQ_ENTRY(loadanchors) entries;
- char *anchorname;
- char *filename;
-};
-
typedef struct {
union {
int64_t number;
@@ -547,7 +538,6 @@ ruleset : /* empty */
| ruleset option '\n'
| ruleset pfrule '\n'
| ruleset anchorrule '\n'
- | ruleset loadrule '\n'
| ruleset queuespec '\n'
| ruleset varset '\n'
| ruleset antispoof '\n'
@@ -949,37 +939,6 @@ anchorrule : ANCHOR anchorname dir quick
}
;
-loadrule : LOAD ANCHOR string FROM string {
- struct loadanchors *loadanchor;
-
- if (strlen(pf->anchor->path) + 1 +
- strlen($3) >= PATH_MAX) {
- yyerror("anchorname %s too long, max %u\n",
- $3, PATH_MAX - 1);
- free($3);
- YYERROR;
- }
- loadanchor = calloc(1, sizeof(struct loadanchors));
- if (loadanchor == NULL)
- err(1, "loadrule: calloc");
- if ((loadanchor->anchorname = malloc(PATH_MAX)) ==
- NULL)
- err(1, "loadrule: malloc");
- if (pf->anchor->name[0])
- snprintf(loadanchor->anchorname, PATH_MAX,
- "%s/%s", pf->anchor->path, $3);
- else
- strlcpy(loadanchor->anchorname, $3, PATH_MAX);
- if ((loadanchor->filename = strdup($5)) == NULL)
- err(1, "loadrule: strdup");
-
- TAILQ_INSERT_TAIL(&loadanchorshead, loadanchor,
- entries);
-
- free($3);
- free($5);
- };
-
scrub_opts : {
bzero(&scrub_opts, sizeof scrub_opts);
}
@@ -5755,23 +5714,6 @@ parseport(char *port, struct range *r, i
return (0);
}
return (-1);
-}
-
-int
-pfctl_load_anchors(int dev, struct pfctl *pf, struct pfr_buffer *trans)
-{
- struct loadanchors *la;
-
- TAILQ_FOREACH(la, &loadanchorshead, entries) {
- if (pf->opts & PF_OPT_VERBOSE)
- fprintf(stderr, "\nLoading anchor %s from %s\n",
- la->anchorname, la->filename);
- if (pfctl_rules(dev, la->filename, pf->opts, pf->optimize,
- la->anchorname, trans) == -1)
- return (-1);
- }
-
- return (0);
}
int
Index: sbin/pfctl/pfctl.c
===================================================================
RCS file: /cvs/src/sbin/pfctl/pfctl.c,v
retrieving revision 1.360
diff -u -p -r1.360 pfctl.c
--- sbin/pfctl/pfctl.c 18 Sep 2018 12:55:19 -0000 1.360
+++ sbin/pfctl/pfctl.c 25 Dec 2018 15:36:30 -0000
@@ -1668,11 +1665,6 @@ pfctl_rules(int dev, char *filename, int
path = NULL;
if (trans == NULL) {
- /*
- * process "load anchor" directives that might have used queues
- */
- if (pfctl_load_anchors(dev, &pf, t) == -1)
- ERRX("load anchors");
pfctl_clear_queues(&qspecs);
pfctl_clear_queues(&rootqs);
Index: sbin/pfctl/pfctl_parser.h
===================================================================
RCS file: /cvs/src/sbin/pfctl/pfctl_parser.h,v
retrieving revision 1.112
diff -u -p -r1.112 pfctl_parser.h
--- sbin/pfctl/pfctl_parser.h 6 Sep 2018 15:07:34 -0000 1.112
+++ sbin/pfctl/pfctl_parser.h 25 Dec 2018 15:36:42 -0000
@@ -234,7 +234,6 @@ int pfctl_set_interface_flags(struct pfc
int parse_config(char *, struct pfctl *);
int parse_flags(char *);
-int pfctl_load_anchors(int, struct pfctl *, struct pfr_buffer *);
int pfctl_load_queues(struct pfctl *);
int pfctl_add_queue(struct pfctl *, struct pf_queuespec *);
Index: share/man/man5/pf.conf.5
===================================================================
RCS file: /cvs/src/share/man/man5/pf.conf.5,v
retrieving revision 1.577
diff -u -p -r1.577 pf.conf.5
--- share/man/man5/pf.conf.5 12 Jul 2018 05:54:49 -0000 1.577
+++ share/man/man5/pf.conf.5 25 Dec 2018 16:20:56 -0000
@@ -1803,21 +1803,6 @@ which blocks all packets from a specific
# echo "block in quick from 1.2.3.4 to any" | pfctl -a spam -f -
.Ed
.Pp
-The anchor can also be populated by adding a
-.Ic load anchor
-rule after the anchor rule.
-When
-.Xr pfctl 8
-loads
-.Nm ,
-it will also load all the rules from the file
-.Pa /etc/pf-spam.conf
-into the anchor.
-.Bd -literal -offset indent
-anchor spam
-load anchor spam from "/etc/pf-spam.conf"
-.Ed
-.Pp
An anchor rule can also contain a filter ruleset
in a brace-delimited block.
In that case, no separate loading of rules into the anchor
@@ -1888,10 +1873,7 @@ translation rules, for example, may also
Anchor rules are evaluated relative to the anchor in which they are contained.
For example,
all anchor rules specified in the main ruleset will reference
-anchor attachment points underneath the main ruleset,
-and anchor rules specified in a file loaded from a
-.Ic load anchor
-rule will be attached under that anchor point.
+anchor attachment points underneath the main ruleset.
.Pp
Anchors may end with the asterisk
.Pq Sq *
@@ -2778,8 +2760,6 @@ anchor-rule = "anchor" [ string ] [ (
[ af ] [ protospec ] [ hosts ] [ filteropt-list ] [ "{" ]
anchor-close = "}"
-
-load-anchor = "load anchor" string "from" filename
queueopts-list = queueopts-list queueopts | queueopts
queueopts = ([ "bandwidth" bandwidth ] | [ "min" bandwidth ] |
===================================================================
Stats: --- 85 lines 2202 chars
Stats: +++ 1 lines 54 chars
Stats: -84 lines
Stats: -2148 chars
