git: 6ea237c31eff - main - pf.conf.5: clarify filter evaluation and anchor loading

Fri, 06 Jun 2025 06:00:20 -0700 

The branch main has been updated by kp:

URL: 
https://cgit.FreeBSD.org/src/commit/?id=6ea237c31effadc739163ccfcf595b1b5e2f0a60

commit 6ea237c31effadc739163ccfcf595b1b5e2f0a60
Author:     Kristof Provost <k...@freebsd.org>
AuthorDate: 2025-05-29 12:21:45 +0000
Commit:     Kristof Provost <k...@freebsd.org>
CommitDate: 2025-06-06 12:59:47 +0000

    pf.conf.5: clarify filter evaluation and anchor loading
    
    * Clarify that filter rules are evaluated once per packet and interface,
    not only once per packet.
    * Clarify that the syntax   anchor "name" { ... }   both loads and
    evaluates the anchor, rather than merely loading it.
    Triggered by questions from Benedikt Neuffer <bene at usta dot de>.
    OK mikeb@
    
    Obtained from:  OpenBSD, schwarze <schwa...@openbsd.org>, 7528bd0ba2
    Sponsored by:   Rubicon Communications, LLC ("Netgate")
---
 share/man/man5/pf.conf.5 | 18 ++++++++++--------
 1 file changed, 10 insertions(+), 8 deletions(-)

diff --git a/share/man/man5/pf.conf.5 b/share/man/man5/pf.conf.5
index 26ffef6d0471..a9fd9e8b29e1 100644
--- a/share/man/man5/pf.conf.5
+++ b/share/man/man5/pf.conf.5
@@ -27,7 +27,7 @@
 .\" ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
 .\" POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd May 28, 2025
+.Dd May 29, 2025
 .Dt PF.CONF 5
 .Os
 .Sh NAME
@@ -703,8 +703,9 @@ and
 .Ar pass
 packets based on attributes of their Ethernet (layer 2) header.
 .Pp
-For each packet processed by the packet filter, the filter rules are
-evaluated in sequential order, from first to last.
+Each time a packet processed by the packet filter comes in on or
+goes out through an interface, the filter rules are evaluated in
+sequential order, from first to last.
 The last matching rule decides what action is taken.
 If no rule matches the packet, the default action is to pass
 the packet without creating a state.
@@ -3063,12 +3064,13 @@ anchor, if any, before finally evaluating the
 .Ar pass
 rule.
 .Pp
-Filter rule
-.Ar anchors
-can also be loaded inline in the ruleset within a brace ('{' '}') delimited
-block.
+An
+.Ar anchor
+rule can also contain a filter ruleset in a brace-delimited block.
+In that case, no separate loading of rules into the anchor
+is required.
 Brace delimited blocks may contain rules or other brace-delimited blocks.
-When anchors are loaded this way the anchor name becomes optional.
+When an anchor is populated this way the anchor name becomes optional.
 .Bd -literal -offset indent
 anchor "external" on $ext_if {
        block

Reply via email to