Hello,
I don't object your change. However I hesitate to give OK too. I hope PF
users, who have non-trivial rulesets will speak up here.
IMO opinion we are hitting limitations of pfctl(8) here. Making warnings
more useful requires to introduce some additional hints to pfctl, to
better express, which table should be bound to rule.
Currently pfctl(8) tries to use table, which is attached to anchor.
If there is no table found, it implicitly fall backs to main anchor
and uses table found in main anchor (ruleset). This implicit fallback
is source of our doubts:
is it intentional the table at anchor is not defined?
I would prefer pfctl(8) to always complain if particular table is not defined
in anchor. e.g. if rule refers particular table as:
pass in from <t1> ....
then parser should always expect `t1` to be defined in the same anchor
as the rule itself. If no table is found anchor, then parser should
exit with error. If user wants rule above to use `t1` from main
anchor then the rule should look like:
pass in from </t1> ....
I agree going that way just puts more pain to users for kind of
little gain.
</snip>
> # ./obj/pfctl -T replace -t t3 -a a2 -n
> pfctl: warning: table <t3> already defined in anchor "/"
> pfctl: warning: table <t3> already defined in anchor "a1"
> 1 table created (dummy).
>
I just see an use case above from different perspective:
it's not a problem where particular table is defined,
the tricky question is how do we refer them in rules.
As I've said I don't object your change. I agree it does,
what you intend, however I'm not sure how much it buys.
thanks and
regards
sashan
