On Mon, Mar 15, 2010 at 10:35:23PM +0100, Toni Mueller wrote: > Hi, > > On Mon, 15.03.2010 at 13:04:04 +0000, Jason McIntyre <j...@kerhand.co.uk> > wrote: > > doesn;t "Other rules and options are ignored." already cover this? > > may be. But then, you are possibly only too deeply entrenched in this > stuff to "see" the problem. >
it is always possible, but i don't think so in this case. i didn't honestly know about this behaviour until reading your mail. now i have read your mail, and pfctl(8), and think that we have it covered. we have to strike a balance somewhere between documenting behaviour and not bogging ourselves down in answering every possible question. i admit that balance is somewhat arbitrary. but you, the reader, have some responsibility to go digging. and to be surprised too sometimes. so i'm asking myself whether your diff improves what we have. i don;t think it does. it's just my opinion - we cannot call wrong or right here. > > furthermore, since -T has a load command, should we really expect -R to > > load tables? > > Should it really need to? My guess was that tables would usually have > been loaded already when one goes to selectively reloads the rules, and > either of spelling out that they need to be loaded explicitly, stating > that, by default, the already-loaded tables are being used, or that > they are being ignored, or that the whole command fails would imho be a > good thing. > i think what you're looking at is the side-effect of tables being hacked into pf. it may be that you can see inconsistencies, i don't know. maybe just tell yourself that when you use pfctl to load rules, it will only load rules, not other stuff. like the doc says. > Ok. I go out on a limb and say that explicit is better than implicit, > in a lot of cases, and would welcome the short explanation OR the > modification of the command to also load tables (which would require > amending the man page, too). > > I admit that I was unaware of the rule optimizer until it bit me into > my bottom half. I mean, I usually don't care, from a user perspective, > whether there is something "optimizing" my stuff, and consider this > kind of breakage as a (an almost) hidden gotcha. > > An optimizer (or any other such device) which is on by default and > claims to not change semantics, should imho be transparent to the user, > but this one isn't. If you have other uses of disabling the optimizer > except for debugging pf, I'd really like to hear. > sorry, you've lost me with the optimiser stuff ;) why are you discussing that? jmc
