summaryrefslogtreecommitdiff
path: root/sbin/pfctl/pfctl.8
diff options
context:
space:
mode:
authorDaniel Hartmeier <dhartmei@cvs.openbsd.org>2002-12-06 00:47:33 +0000
committerDaniel Hartmeier <dhartmei@cvs.openbsd.org>2002-12-06 00:47:33 +0000
commit0c408b075f1e6e1911db1000cfcbb398ffdae48e (patch)
treef080855d3f372b0b1c7eccc81c79a14a8dcc5067 /sbin/pfctl/pfctl.8
parent7654c4a4b93a0c8473a697480f604acf3272bbcc (diff)
Introduce anchors and named rule sets, allowing to load additional rule
sets with pfctl and evaluate them from the main rule set using a new type of rule (which will support conditional evaluation soon). Makes maintenance of sub-rulesets simpler for pfctl and daemons. Idea and ok deraadt@
Diffstat (limited to 'sbin/pfctl/pfctl.8')
-rw-r--r--sbin/pfctl/pfctl.829
1 files changed, 28 insertions, 1 deletions
diff --git a/sbin/pfctl/pfctl.8 b/sbin/pfctl/pfctl.8
index 059366dea2e..f22229b56f8 100644
--- a/sbin/pfctl/pfctl.8
+++ b/sbin/pfctl/pfctl.8
@@ -1,4 +1,4 @@
-.\" $OpenBSD: pfctl.8,v 1.57 2002/12/04 08:07:28 deraadt Exp $
+.\" $OpenBSD: pfctl.8,v 1.58 2002/12/06 00:47:31 dhartmei Exp $
.\"
.\" Copyright (c) 2001 Kjell Wooding. All rights reserved.
.\"
@@ -33,6 +33,7 @@
.Sh SYNOPSIS
.Nm pfctl
.Op Fl AdehnNqrRvzO
+.Op Fl a Ar anchor[:ruleset]
.Op Fl F Ar modifier
.Op Fl f Ar file
.Op Fl k Ar host
@@ -84,6 +85,26 @@ The
utility provides several commands.
The options are as follows:
.Bl -tag -width Ds
+.It Fl a Ar anchor Ns Op Ar :ruleset
+Apply flags
+.Fl f ,
+.Fl F
+and
+.Fl s
+only to the rules in the specified
+.Pa anchor
+and optional named rule set
+.Ar ruleset .
+In addition to the main rule set,
+.Nm
+can load and manipulate additional rule sets by name.
+Named rule sets are attached at
+.Pa anchor
+points, which are also referenced by name.
+Evaluation of
+.Pa anchor
+rules from the main rule set is described in
+.Xr pf.conf 5 .
.It Fl A
Load only the queue rules present in the rule file.
Other rules and options are ignored.
@@ -159,6 +180,12 @@ will skip evaluation of rules where possible.
Packets passed statefully are counted in the rule that created the state
(even though the rule isn't evaluated more than once for the entire
connection).
+.It Fl s Ar anchor
+Show the currently loaded anchors.
+If
+.Fl a
+is specified, the named rule sets currently loaded in the specified
+anchor are shown instead.
.It Fl s Ar state
Show the contents of the state table.
.It Fl s Ar info