Hello Klemens,
I just need to clarify some details.
</snip>
> > the 'unreferenced' means the anchor is not reachable by any packet.
> > like there is no path for packet between main ruleset and that
> > particular
> > anchor (and all its descendants).
> Yes. With the regress suite for example, the following should leave no
> trace of regress anchors or rules:
>
> make
> pfctl -f /etc/pf.conf
> pfctl -F Anchors
so the option '-F Anchors' will also perform a '-Fr' on main ruleset, is
that correct?
And also one more thing, which comes to my mind. How '-F Anchors' should
treat tables attached to anchors?
the firewall service (which is a kind of rc-script in fact) on Solaris,
kills (removes) all tables first, then it removes anchors.
What shall we do in case of '-F Anchors'? do we want '-F Anchors' to
kill attached tables too? Or should it just report "anchor can't be
removed, because table is still attached?"
It looks like '-F Anchors' shifts pfctl(8) from simple tool, which does
exactly what it's told to do, to advanced tool, which does more things at
one step.
The simple tools just seem to be more friendly for scripts, while advanced
tool is easier to use by human.
thanks and
regards
sasha
