diff options
| author | Ingo Schwarze <schwarze@cvs.openbsd.org> | 2017-07-13 14:41:18 +0000 |
|---|---|---|
| committer | Ingo Schwarze <schwarze@cvs.openbsd.org> | 2017-07-13 14:41:18 +0000 |
| commit | 6bef3927df8071778aac5e8296e84626b8bec3a8 (patch) | |
| tree | 3ae2a65c438df677ceca571ba3eac5745533ffbe /share/man | |
| parent | a660491c7095e4bc61ac580316438acd0af3748a (diff) | |
* Clarify that filter rules are evaluated once per packet and interface,
not only once per packet.
* Clarify that the syntax anchor "name" { ... } both loads and
evaluates the anchor, rather than merely loading it.
Triggered by questions from Benedikt Neuffer <bene at usta dot de>.
OK mikeb@
Diffstat (limited to 'share/man')
| -rw-r--r-- | share/man/man5/pf.conf.5 | 17 |
1 files changed, 10 insertions, 7 deletions
diff --git a/share/man/man5/pf.conf.5 b/share/man/man5/pf.conf.5 index 372ed0f5502..1f9aa1a918d 100644 --- a/share/man/man5/pf.conf.5 +++ b/share/man/man5/pf.conf.5 @@ -1,4 +1,4 @@ -.\" $OpenBSD: pf.conf.5,v 1.566 2017/06/08 15:39:38 henning Exp $ +.\" $OpenBSD: pf.conf.5,v 1.567 2017/07/13 14:41:17 schwarze Exp $ .\" .\" Copyright (c) 2002, Daniel Hartmeier .\" Copyright (c) 2003 - 2013 Henning Brauer <henning@openbsd.org> @@ -28,7 +28,7 @@ .\" ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE .\" POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: June 8 2017 $ +.Dd $Mdocdate: July 13 2017 $ .Dt PF.CONF 5 .Os .Sh NAME @@ -111,8 +111,9 @@ and layer 4 headers. Filter rules determine which of these actions are taken; filter parameters specify the packets to which a rule applies. .Pp -For each packet processed by the packet filter, the filter rules are -evaluated in sequential order, from first to last. +Each time a packet processed by the packet filter comes in on or +goes out through an interface, the filter rules are evaluated in +sequential order, from first to last. For .Ic block and @@ -1763,10 +1764,12 @@ anchor spam load anchor spam from "/etc/pf-spam.conf" .Ed .Pp -Filter rule anchors can also be loaded inline in the ruleset -within a brace-delimited block. +An anchor rule can also contain a filter ruleset +in a brace-delimited block. +In that case, no separate loading of rules into the anchor +is required. Brace delimited blocks may contain rules or other brace-delimited blocks. -When anchors are loaded this way the anchor name becomes optional. +When an anchor is populated this way the anchor name becomes optional. Since the parser specification for anchor names is a string, double quote characters .Pq Sq \&" |