* Teemu Rinta-aho <[email protected]> [2010-06-07 19:51]: > Hi, > > I was thinking of simplifying the pf.conf by using anchors. My > idea was to have two anchors: "incoming" and "outgoing", and > then those two would have sub-anchors per interface. This would > hopefully reduce errors and make pf.conf more readable. However, > the following two do not work: > > case a) > > anchor "incoming" in { > anchor on re0 { > pass quick proto tcp to port ftp rdr-to 127.0.0.1 port 8021 > } > } > > case b) > > anchor "on_re0" on re0 { > anchor in { > pass quick proto tcp to port ftp rdr-to 127.0.0.1 port 8021 > } > } > > I thought the inmost rule would inherit "in on re0" from its > parent anchors in both cases, but pfctl gives the following error > for both a) and b): > > ./pf.conf:111: rdr-to can only be used inbound > ./pf.conf:111: skipping rule due to errors > ./pf.conf:111: rule expands to no valid combination
hmm. your understanding is correct, the in is (kind of, practically it is, we won't hit the rule unless the "in" condition in the anchor is true) inherited. the little validity check in pfctl doesn't grok that tho. hrm. -- Henning Brauer, [email protected], [email protected] BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting
