On Fri, Feb 22, 2019 at 03:02:07PM +0100, Alexandr Nedvedicky wrote: > so the option '-F Anchors' will also perform a '-Fr' on main ruleset, is > that correct? No, my `-f /etc/pf.conf' is the equivalent to your `-F rules' here.
> And also one more thing, which comes to my mind. How '-F Anchors' should > treat tables attached to anchors? If an unreferenced anchor contains a table, either destroy that table as well since it cannot be referenced or abort garbage collecting anchor completely, possibly prompting the user to clean tables in besaid anchors as well. I tend towards the first option since anchors may contain tables that were automatically created due to ruleset optimization. That is to say, while enforcing manual removal of tables as well, this may become annoying for big optimized rulesets where administrators would have to wield `-F Tables' and or `-a aname -T kill -t tname' before having `-F Anchors' run cleanly. Does that make sense? > the firewall service (which is a kind of rc-script in fact) on Solaris, > kills (removes) all tables first, then it removes anchors. > > What shall we do in case of '-F Anchors'? do we want '-F Anchors' to > kill attached tables too? Or should it just report "anchor can't be > removed, because table is still attached?" See above. What this "service" roughly seems like what I have in mind. > It looks like '-F Anchors' shifts pfctl(8) from simple tool, which does > exactly what it's told to do, to advanced tool, which does more things at > one step. But isn't that a perfect job for pfctl? It manipulates everything, it's the single interface for firewall related and that's a good. Cleaning things up after work is done is a necessity; this is about adding the missing peaces, imho. > The simple tools just seem to be more friendly for scripts, while advanced > tool is easier to use by human. pfctl is well suited for both, and it always should be.
