diff options
author | Daniel Hartmeier <dhartmei@cvs.openbsd.org> | 2002-12-06 00:47:33 +0000 |
---|---|---|
committer | Daniel Hartmeier <dhartmei@cvs.openbsd.org> | 2002-12-06 00:47:33 +0000 |
commit | 0c408b075f1e6e1911db1000cfcbb398ffdae48e (patch) | |
tree | f080855d3f372b0b1c7eccc81c79a14a8dcc5067 /sbin/pfctl/pfctl.8 | |
parent | 7654c4a4b93a0c8473a697480f604acf3272bbcc (diff) |
Introduce anchors and named rule sets, allowing to load additional rule
sets with pfctl and evaluate them from the main rule set using a new type
of rule (which will support conditional evaluation soon). Makes
maintenance of sub-rulesets simpler for pfctl and daemons.
Idea and ok deraadt@
Diffstat (limited to 'sbin/pfctl/pfctl.8')
-rw-r--r-- | sbin/pfctl/pfctl.8 | 29 |
1 files changed, 28 insertions, 1 deletions
diff --git a/sbin/pfctl/pfctl.8 b/sbin/pfctl/pfctl.8 index 059366dea2e..f22229b56f8 100644 --- a/sbin/pfctl/pfctl.8 +++ b/sbin/pfctl/pfctl.8 @@ -1,4 +1,4 @@ -.\" $OpenBSD: pfctl.8,v 1.57 2002/12/04 08:07:28 deraadt Exp $ +.\" $OpenBSD: pfctl.8,v 1.58 2002/12/06 00:47:31 dhartmei Exp $ .\" .\" Copyright (c) 2001 Kjell Wooding. All rights reserved. .\" @@ -33,6 +33,7 @@ .Sh SYNOPSIS .Nm pfctl .Op Fl AdehnNqrRvzO +.Op Fl a Ar anchor[:ruleset] .Op Fl F Ar modifier .Op Fl f Ar file .Op Fl k Ar host @@ -84,6 +85,26 @@ The utility provides several commands. The options are as follows: .Bl -tag -width Ds +.It Fl a Ar anchor Ns Op Ar :ruleset +Apply flags +.Fl f , +.Fl F +and +.Fl s +only to the rules in the specified +.Pa anchor +and optional named rule set +.Ar ruleset . +In addition to the main rule set, +.Nm +can load and manipulate additional rule sets by name. +Named rule sets are attached at +.Pa anchor +points, which are also referenced by name. +Evaluation of +.Pa anchor +rules from the main rule set is described in +.Xr pf.conf 5 . .It Fl A Load only the queue rules present in the rule file. Other rules and options are ignored. @@ -159,6 +180,12 @@ will skip evaluation of rules where possible. Packets passed statefully are counted in the rule that created the state (even though the rule isn't evaluated more than once for the entire connection). +.It Fl s Ar anchor +Show the currently loaded anchors. +If +.Fl a +is specified, the named rule sets currently loaded in the specified +anchor are shown instead. .It Fl s Ar state Show the contents of the state table. .It Fl s Ar info |