On 17.09.25 16:15, Kristof Provost wrote:
The branch main has been updated by kp:URL: https://cgit.FreeBSD.org/src/commit/?id=9dfc5e03da50d12f02c2b481139acf9f089d504f commit 9dfc5e03da50d12f02c2b481139acf9f089d504f Author: Kristof Provost <[email protected]> AuthorDate: 2025-08-22 11:34:39 +0000 Commit: Kristof Provost <[email protected]> CommitDate: 2025-09-17 14:15:13 +0000 pfctl: allow tables to be defined inside anchors
Hi Kristof,this change prevents pf.conf to load on one of my servers. It works fine with 3d14cc82d7a8, but does not with any versions after. Just replacing pfctl with a version before 9dfc5e03da50 makes it work again.
Tests on latest main: # pfctl -f /etc/pf.conf pfctl: failed to create table __automatic_d63f3745_0 in : Device busy Disabling the optimizer works around the issue. # pfctl -o none -f /etc/pf.conf && echo $? 0 I was able to find a simple repro case. Take this ruleset: --- ext_if="igb0" host_ipv4="192.168.0.1" host_ipv6="3333:444:222:1843::2" mail="3333:444:222:1843::25:3" db="3333:444:222:1843::3306:5" db4="3333:444:222:1843::3306:4" web="3333:444:222:1843::80:6" amavis="3333:444:222:1843::aa:4" rdr-anchor "rdr/*" block in pass out # anti lockout during tests pass in on $ext_if proto tcp to ($ext_if) port sshpass in on $ext_if proto tcp to { $host_ipv4, $host_ipv6, $mail, $amavis, $db, $db4, $web } port ssh
---It can be successfully loaded without disabling the optimizer if either removing the 7th element from the second pass in ssh rule ($web in this case) or disabling the 'rdr-anchor "rdr/*"' line
Florian
OpenPGP_0xEF5BA4DCD5A9F3C0.asc
Description: OpenPGP public key
OpenPGP_signature.asc
Description: OpenPGP digital signature
