Klemens Nanni(k...@openbsd.org) on 2018.12.25 17:33:00 +0100:
> From pf.conf(5):
>
> The anchor can also be populated by adding a load anchor rule after the
> anchor rule. When pfctl(8) loads pf.conf, it will also load all the
> rules from the file /etc/pf-spam.conf into the anchor.
>
> anchor spam
> load anchor spam from "/etc/pf-spam.conf"
>
> This is too much verbiage for nothing since we have `include'.
> parse.y history shows
>
> revision 1.650
> date: 2016/06/16 15:46:20; author: henning; state: Exp; lines: +1 -0;
> allow include in inline anchors
> with this,
> anchor foo {
> include "/path/to/rules"
> }
> works and "load anchor" is obsolete, to be removed somewhen later after
> release.
> co-production with reky at bsdcan, ok reyk mikeb benno sasha
>
> Like this:
>
> anchor spam {
> include /etc/pf-spam.conf
> }
>
> OK to remove these duplicate semantics? Below is a diff for pfctl and
> pf.conf(5).
>
> pfctl regress still passes when I remove the `load anchor' tests and
> adjust test 103 accordingly.
>
> I'll send a separate regress diff after consense and OKs but before
> committing. Same for our pf FAQ.
>
> current.html with instructions to switch to the simpler syntax will
> follow, as well.
>
> Feedback? OK?
ok benno@
When that commit was done in 2016, there should have been a commit to
current.html telling people tochange syntax. Both as a warning of a upcoming
change and as a reminder for us to remove the old syntax after release
(6.0?).
> Index: sbin/pfctl/parse.y
> ===================================================================
> RCS file: /cvs/src/sbin/pfctl/parse.y,v
> retrieving revision 1.688
> diff -u -p -r1.688 parse.y
> --- sbin/pfctl/parse.y 15 Nov 2018 03:22:01 -0000 1.688
> +++ sbin/pfctl/parse.y 25 Dec 2018 15:37:37 -0000
> @@ -394,15 +394,6 @@ int map_tos(char *string, int *);
> int rdomain_exists(u_int);
> int filteropts_to_rule(struct pf_rule *, struct filter_opts *);
>
> -TAILQ_HEAD(loadanchorshead, loadanchors)
> - loadanchorshead = TAILQ_HEAD_INITIALIZER(loadanchorshead);
> -
> -struct loadanchors {
> - TAILQ_ENTRY(loadanchors) entries;
> - char *anchorname;
> - char *filename;
> -};
> -
> typedef struct {
> union {
> int64_t number;
> @@ -547,7 +538,6 @@ ruleset : /* empty */
> | ruleset option '\n'
> | ruleset pfrule '\n'
> | ruleset anchorrule '\n'
> - | ruleset loadrule '\n'
> | ruleset queuespec '\n'
> | ruleset varset '\n'
> | ruleset antispoof '\n'
> @@ -949,37 +939,6 @@ anchorrule : ANCHOR anchorname dir quick
> }
> ;
>
> -loadrule : LOAD ANCHOR string FROM string {
> - struct loadanchors *loadanchor;
> -
> - if (strlen(pf->anchor->path) + 1 +
> - strlen($3) >= PATH_MAX) {
> - yyerror("anchorname %s too long, max %u\n",
> - $3, PATH_MAX - 1);
> - free($3);
> - YYERROR;
> - }
> - loadanchor = calloc(1, sizeof(struct loadanchors));
> - if (loadanchor == NULL)
> - err(1, "loadrule: calloc");
> - if ((loadanchor->anchorname = malloc(PATH_MAX)) ==
> - NULL)
> - err(1, "loadrule: malloc");
> - if (pf->anchor->name[0])
> - snprintf(loadanchor->anchorname, PATH_MAX,
> - "%s/%s", pf->anchor->path, $3);
> - else
> - strlcpy(loadanchor->anchorname, $3, PATH_MAX);
> - if ((loadanchor->filename = strdup($5)) == NULL)
> - err(1, "loadrule: strdup");
> -
> - TAILQ_INSERT_TAIL(&loadanchorshead, loadanchor,
> - entries);
> -
> - free($3);
> - free($5);
> - };
> -
> scrub_opts : {
> bzero(&scrub_opts, sizeof scrub_opts);
> }
> @@ -5755,23 +5714,6 @@ parseport(char *port, struct range *r, i
> return (0);
> }
> return (-1);
> -}
> -
> -int
> -pfctl_load_anchors(int dev, struct pfctl *pf, struct pfr_buffer *trans)
> -{
> - struct loadanchors *la;
> -
> - TAILQ_FOREACH(la, &loadanchorshead, entries) {
> - if (pf->opts & PF_OPT_VERBOSE)
> - fprintf(stderr, "\nLoading anchor %s from %s\n",
> - la->anchorname, la->filename);
> - if (pfctl_rules(dev, la->filename, pf->opts, pf->optimize,
> - la->anchorname, trans) == -1)
> - return (-1);
> - }
> -
> - return (0);
> }
>
> int
> Index: sbin/pfctl/pfctl.c
> ===================================================================
> RCS file: /cvs/src/sbin/pfctl/pfctl.c,v
> retrieving revision 1.360
> diff -u -p -r1.360 pfctl.c
> --- sbin/pfctl/pfctl.c 18 Sep 2018 12:55:19 -0000 1.360
> +++ sbin/pfctl/pfctl.c 25 Dec 2018 15:36:30 -0000
> @@ -1668,11 +1665,6 @@ pfctl_rules(int dev, char *filename, int
> path = NULL;
>
> if (trans == NULL) {
> - /*
> - * process "load anchor" directives that might have used queues
> - */
> - if (pfctl_load_anchors(dev, &pf, t) == -1)
> - ERRX("load anchors");
> pfctl_clear_queues(&qspecs);
> pfctl_clear_queues(&rootqs);
>
> Index: sbin/pfctl/pfctl_parser.h
> ===================================================================
> RCS file: /cvs/src/sbin/pfctl/pfctl_parser.h,v
> retrieving revision 1.112
> diff -u -p -r1.112 pfctl_parser.h
> --- sbin/pfctl/pfctl_parser.h 6 Sep 2018 15:07:34 -0000 1.112
> +++ sbin/pfctl/pfctl_parser.h 25 Dec 2018 15:36:42 -0000
> @@ -234,7 +234,6 @@ int pfctl_set_interface_flags(struct pfc
>
> int parse_config(char *, struct pfctl *);
> int parse_flags(char *);
> -int pfctl_load_anchors(int, struct pfctl *, struct pfr_buffer *);
>
> int pfctl_load_queues(struct pfctl *);
> int pfctl_add_queue(struct pfctl *, struct pf_queuespec *);
> Index: share/man/man5/pf.conf.5
> ===================================================================
> RCS file: /cvs/src/share/man/man5/pf.conf.5,v
> retrieving revision 1.577
> diff -u -p -r1.577 pf.conf.5
> --- share/man/man5/pf.conf.5 12 Jul 2018 05:54:49 -0000 1.577
> +++ share/man/man5/pf.conf.5 25 Dec 2018 16:20:56 -0000
> @@ -1803,21 +1803,6 @@ which blocks all packets from a specific
> # echo "block in quick from 1.2.3.4 to any" | pfctl -a spam -f -
> .Ed
> .Pp
> -The anchor can also be populated by adding a
> -.Ic load anchor
> -rule after the anchor rule.
> -When
> -.Xr pfctl 8
> -loads
> -.Nm ,
> -it will also load all the rules from the file
> -.Pa /etc/pf-spam.conf
> -into the anchor.
> -.Bd -literal -offset indent
> -anchor spam
> -load anchor spam from "/etc/pf-spam.conf"
> -.Ed
> -.Pp
> An anchor rule can also contain a filter ruleset
> in a brace-delimited block.
> In that case, no separate loading of rules into the anchor
> @@ -1888,10 +1873,7 @@ translation rules, for example, may also
> Anchor rules are evaluated relative to the anchor in which they are
> contained.
> For example,
> all anchor rules specified in the main ruleset will reference
> -anchor attachment points underneath the main ruleset,
> -and anchor rules specified in a file loaded from a
> -.Ic load anchor
> -rule will be attached under that anchor point.
> +anchor attachment points underneath the main ruleset.
> .Pp
> Anchors may end with the asterisk
> .Pq Sq *
> @@ -2778,8 +2760,6 @@ anchor-rule = "anchor" [ string ] [ (
> [ af ] [ protospec ] [ hosts ] [ filteropt-list ] [ "{" ]
>
> anchor-close = "}"
> -
> -load-anchor = "load anchor" string "from" filename
>
> queueopts-list = queueopts-list queueopts | queueopts
> queueopts = ([ "bandwidth" bandwidth ] | [ "min" bandwidth ] |
> ===================================================================
> Stats: --- 85 lines 2202 chars
> Stats: +++ 1 lines 54 chars
> Stats: -84 lines
> Stats: -2148 chars
>
