Re: git: 9dfc5e03da50 - main - pfctl: allow tables to be defined inside anchors
Date: Sat, 04 Oct 2025 07:45:12 UTC
On 17.09.25 16:15, Kristof Provost wrote:
> The branch main has been updated by kp:
>
> URL: https://cgit.FreeBSD.org/src/commit/?id=9dfc5e03da50d12f02c2b481139acf9f089d504f
>
> commit 9dfc5e03da50d12f02c2b481139acf9f089d504f
> Author: Kristof Provost <kp@FreeBSD.org>
> AuthorDate: 2025-08-22 11:34:39 +0000
> Commit: Kristof Provost <kp@FreeBSD.org>
> CommitDate: 2025-09-17 14:15:13 +0000
>
> pfctl: allow tables to be defined inside anchors
>
Hi Kristof,
this change prevents pf.conf to load on one of my servers. It works fine
with 3d14cc82d7a8, but does not with any versions after. Just replacing
pfctl with a version before 9dfc5e03da50 makes it work again.
Tests on latest main:
# pfctl -f /etc/pf.conf
pfctl: failed to create table __automatic_d63f3745_0 in : Device busy
Disabling the optimizer works around the issue.
# pfctl -o none -f /etc/pf.conf && echo $?
0
I was able to find a simple repro case.
Take this ruleset:
---
ext_if="igb0"
host_ipv4="192.168.0.1"
host_ipv6="3333:444:222:1843::2"
mail="3333:444:222:1843::25:3"
db="3333:444:222:1843::3306:5"
db4="3333:444:222:1843::3306:4"
web="3333:444:222:1843::80:6"
amavis="3333:444:222:1843::aa:4"
rdr-anchor "rdr/*"
block in
pass out
# anti lockout during tests
pass in on $ext_if proto tcp to ($ext_if) port ssh
pass in on $ext_if proto tcp to { $host_ipv4, $host_ipv6, $mail,
$amavis, $db, $db4, $web } port ssh
---
It can be successfully loaded without disabling the optimizer if either
removing the 7th element from the second pass in ssh rule ($web in this
case) or disabling the 'rdr-anchor "rdr/*"' line
Florian