Re: git: 9dfc5e03da50 - main - pfctl: allow tables to be defined inside anchors

On 4 Oct 2025, at 9:45, Florian Smeets wrote:
> On 17.09.25 16:15, Kristof Provost wrote:
>> The branch main has been updated by kp:
>>
>> URL: https://cgit.FreeBSD.org/src/commit/?id=9dfc5e03da50d12f02c2b481139acf9f089d504f
>>
>> commit 9dfc5e03da50d12f02c2b481139acf9f089d504f
>> Author:     Kristof Provost <kp@FreeBSD.org>
>> AuthorDate: 2025-08-22 11:34:39 +0000
>> Commit:     Kristof Provost <kp@FreeBSD.org>
>> CommitDate: 2025-09-17 14:15:13 +0000
>>
>>      pfctl: allow tables to be defined inside anchors
>>
> Hi Kristof,
>
> this change prevents pf.conf to load on one of my servers. It works fine with 3d14cc82d7a8, but does not with any versions after. Just replacing pfctl with a version before 9dfc5e03da50 makes it work again.
>
> Tests on latest main:
>
> # pfctl -f /etc/pf.conf
> pfctl: failed to create table __automatic_d63f3745_0 in : Device busy
>
> Disabling the optimizer works around the issue.
>
> # pfctl -o none -f /etc/pf.conf && echo $?
> 0
>
> I was able to find a simple repro case.
>
> Take this ruleset:
>
> ---
> ext_if="igb0"
>
> host_ipv4="192.168.0.1"
> host_ipv6="3333:444:222:1843::2"
> mail="3333:444:222:1843::25:3"
> db="3333:444:222:1843::3306:5"
> db4="3333:444:222:1843::3306:4"
> web="3333:444:222:1843::80:6"
> amavis="3333:444:222:1843::aa:4"
>
> rdr-anchor "rdr/*"
>
> block in
> pass out
>
> # anti lockout during tests
> pass in on $ext_if proto tcp to ($ext_if) port ssh
>
> pass in on $ext_if proto tcp to { $host_ipv4, $host_ipv6, $mail, $amavis, $db, $db4, $web } port ssh
> ---
>
> It can be successfully loaded without disabling the optimizer if either removing the 7th element from the second pass in ssh rule ($web in this case) or disabling the 'rdr-anchor "rdr/*"' line
>
Thanks for the report, and especially the test case. I’ll add this to my todo list for next week.

—
Kristof