Sebastian Benoit(be...@openbsd.org) on 2018.12.25 18:13:27 +0100:
> Klemens Nanni(k...@openbsd.org) on 2018.12.25 17:33:00 +0100:
> > From pf.conf(5):
> >
> > The anchor can also be populated by adding a load anchor rule after the
> > anchor rule. When pfctl(8) loads pf.conf, it will also load all the
> > rules from the file /etc/pf-spam.conf into the anchor.
> >
> > anchor spam
> > load anchor spam from "/etc/pf-spam.conf"
> >
> > This is too much verbiage for nothing since we have `include'.
> > parse.y history shows
> >
> > revision 1.650
> > date: 2016/06/16 15:46:20; author: henning; state: Exp; lines: +1 -0;
> > allow include in inline anchors
> > with this,
> > anchor foo {
> > include "/path/to/rules"
> > }
> > works and "load anchor" is obsolete, to be removed somewhen later after
> > release.
> > co-production with reky at bsdcan, ok reyk mikeb benno sasha
> >
> > Like this:
> >
> > anchor spam {
> > include /etc/pf-spam.conf
> > }
> >
> > OK to remove these duplicate semantics? Below is a diff for pfctl and
> > pf.conf(5).
> >
> > pfctl regress still passes when I remove the `load anchor' tests and
> > adjust test 103 accordingly.
> >
> > I'll send a separate regress diff after consense and OKs but before
> > committing. Same for our pf FAQ.
> >
> > current.html with instructions to switch to the simpler syntax will
> > follow, as well.
> >
> > Feedback? OK?
>
> ok benno@
>
> When that commit was done in 2016, there should have been a commit to
> current.html telling people tochange syntax. Both as a warning of a upcoming
> change and as a reminder for us to remove the old syntax after release
> (6.0?).
that said, if we want this, we might want to have pfctl print a warning for
a release cycle because it can impact the reachability of a machine. Like we
do with ifconfig vlanid/parent changes.
/Benno
> > Index: sbin/pfctl/parse.y
> > ===================================================================
> > RCS file: /cvs/src/sbin/pfctl/parse.y,v
> > retrieving revision 1.688
> > diff -u -p -r1.688 parse.y
> > --- sbin/pfctl/parse.y 15 Nov 2018 03:22:01 -0000 1.688
> > +++ sbin/pfctl/parse.y 25 Dec 2018 15:37:37 -0000
> > @@ -394,15 +394,6 @@ int map_tos(char *string, int *);
> > int rdomain_exists(u_int);
> > int filteropts_to_rule(struct pf_rule *, struct filter_opts *);
> >
> > -TAILQ_HEAD(loadanchorshead, loadanchors)
> > - loadanchorshead = TAILQ_HEAD_INITIALIZER(loadanchorshead);
> > -
> > -struct loadanchors {
> > - TAILQ_ENTRY(loadanchors) entries;
> > - char *anchorname;
> > - char *filename;
> > -};
> > -
> > typedef struct {
> > union {
> > int64_t number;
> > @@ -547,7 +538,6 @@ ruleset : /* empty */
> > | ruleset option '\n'
> > | ruleset pfrule '\n'
> > | ruleset anchorrule '\n'
> > - | ruleset loadrule '\n'
> > | ruleset queuespec '\n'
> > | ruleset varset '\n'
> > | ruleset antispoof '\n'
> > @@ -949,37 +939,6 @@ anchorrule : ANCHOR anchorname dir quick
> > }
> > ;
> >
> > -loadrule : LOAD ANCHOR string FROM string {
> > - struct loadanchors *loadanchor;
> > -
> > - if (strlen(pf->anchor->path) + 1 +
> > - strlen($3) >= PATH_MAX) {
> > - yyerror("anchorname %s too long, max %u\n",
> > - $3, PATH_MAX - 1);
> > - free($3);
> > - YYERROR;
> > - }
> > - loadanchor = calloc(1, sizeof(struct loadanchors));
> > - if (loadanchor == NULL)
> > - err(1, "loadrule: calloc");
> > - if ((loadanchor->anchorname = malloc(PATH_MAX)) ==
> > - NULL)
> > - err(1, "loadrule: malloc");
> > - if (pf->anchor->name[0])
> > - snprintf(loadanchor->anchorname, PATH_MAX,
> > - "%s/%s", pf->anchor->path, $3);
> > - else
> > - strlcpy(loadanchor->anchorname, $3, PATH_MAX);
> > - if ((loadanchor->filename = strdup($5)) == NULL)
> > - err(1, "loadrule: strdup");
> > -
> > - TAILQ_INSERT_TAIL(&loadanchorshead, loadanchor,
> > - entries);
> > -
> > - free($3);
> > - free($5);
> > - };
> > -
> > scrub_opts : {
> > bzero(&scrub_opts, sizeof scrub_opts);
> > }
> > @@ -5755,23 +5714,6 @@ parseport(char *port, struct range *r, i
> > return (0);
> > }
> > return (-1);
> > -}
> > -
> > -int
> > -pfctl_load_anchors(int dev, struct pfctl *pf, struct pfr_buffer *trans)
> > -{
> > - struct loadanchors *la;
> > -
> > - TAILQ_FOREACH(la, &loadanchorshead, entries) {
> > - if (pf->opts & PF_OPT_VERBOSE)
> > - fprintf(stderr, "\nLoading anchor %s from %s\n",
> > - la->anchorname, la->filename);
> > - if (pfctl_rules(dev, la->filename, pf->opts, pf->optimize,
> > - la->anchorname, trans) == -1)
> > - return (-1);
> > - }
> > -
> > - return (0);
> > }
> >
> > int
> > Index: sbin/pfctl/pfctl.c
> > ===================================================================
> > RCS file: /cvs/src/sbin/pfctl/pfctl.c,v
> > retrieving revision 1.360
> > diff -u -p -r1.360 pfctl.c
> > --- sbin/pfctl/pfctl.c 18 Sep 2018 12:55:19 -0000 1.360
> > +++ sbin/pfctl/pfctl.c 25 Dec 2018 15:36:30 -0000
> > @@ -1668,11 +1665,6 @@ pfctl_rules(int dev, char *filename, int
> > path = NULL;
> >
> > if (trans == NULL) {
> > - /*
> > - * process "load anchor" directives that might have used queues
> > - */
> > - if (pfctl_load_anchors(dev, &pf, t) == -1)
> > - ERRX("load anchors");
> > pfctl_clear_queues(&qspecs);
> > pfctl_clear_queues(&rootqs);
> >
> > Index: sbin/pfctl/pfctl_parser.h
> > ===================================================================
> > RCS file: /cvs/src/sbin/pfctl/pfctl_parser.h,v
> > retrieving revision 1.112
> > diff -u -p -r1.112 pfctl_parser.h
> > --- sbin/pfctl/pfctl_parser.h 6 Sep 2018 15:07:34 -0000 1.112
> > +++ sbin/pfctl/pfctl_parser.h 25 Dec 2018 15:36:42 -0000
> > @@ -234,7 +234,6 @@ int pfctl_set_interface_flags(struct pfc
> >
> > int parse_config(char *, struct pfctl *);
> > int parse_flags(char *);
> > -int pfctl_load_anchors(int, struct pfctl *, struct pfr_buffer *);
> >
> > int pfctl_load_queues(struct pfctl *);
> > int pfctl_add_queue(struct pfctl *, struct pf_queuespec *);
> > Index: share/man/man5/pf.conf.5
> > ===================================================================
> > RCS file: /cvs/src/share/man/man5/pf.conf.5,v
> > retrieving revision 1.577
> > diff -u -p -r1.577 pf.conf.5
> > --- share/man/man5/pf.conf.5 12 Jul 2018 05:54:49 -0000 1.577
> > +++ share/man/man5/pf.conf.5 25 Dec 2018 16:20:56 -0000
> > @@ -1803,21 +1803,6 @@ which blocks all packets from a specific
> > # echo "block in quick from 1.2.3.4 to any" | pfctl -a spam -f -
> > .Ed
> > .Pp
> > -The anchor can also be populated by adding a
> > -.Ic load anchor
> > -rule after the anchor rule.
> > -When
> > -.Xr pfctl 8
> > -loads
> > -.Nm ,
> > -it will also load all the rules from the file
> > -.Pa /etc/pf-spam.conf
> > -into the anchor.
> > -.Bd -literal -offset indent
> > -anchor spam
> > -load anchor spam from "/etc/pf-spam.conf"
> > -.Ed
> > -.Pp
> > An anchor rule can also contain a filter ruleset
> > in a brace-delimited block.
> > In that case, no separate loading of rules into the anchor
> > @@ -1888,10 +1873,7 @@ translation rules, for example, may also
> > Anchor rules are evaluated relative to the anchor in which they are
> > contained.
> > For example,
> > all anchor rules specified in the main ruleset will reference
> > -anchor attachment points underneath the main ruleset,
> > -and anchor rules specified in a file loaded from a
> > -.Ic load anchor
> > -rule will be attached under that anchor point.
> > +anchor attachment points underneath the main ruleset.
> > .Pp
> > Anchors may end with the asterisk
> > .Pq Sq *
> > @@ -2778,8 +2760,6 @@ anchor-rule = "anchor" [ string ] [ (
> > [ af ] [ protospec ] [ hosts ] [ filteropt-list ] [ "{" ]
> >
> > anchor-close = "}"
> > -
> > -load-anchor = "load anchor" string "from" filename
> >
> > queueopts-list = queueopts-list queueopts | queueopts
> > queueopts = ([ "bandwidth" bandwidth ] | [ "min" bandwidth ] |
> > ===================================================================
> > Stats: --- 85 lines 2202 chars
> > Stats: +++ 1 lines 54 chars
> > Stats: -84 lines
> > Stats: -2148 chars
> >
>
