520.pfdenied - anchor name must not be empty

bugzilla-noreply Sun, 04 Jan 2026 08:22:04 -0800

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=292184


            Bug ID: 292184
           Summary: periodic/security/520.pfdenied - anchor name must not
                    be empty
           Product: Base System
           Version: 15.0-RELEASE
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Some People
          Priority: ---
         Component: conf
          Assignee: [email protected]
          Reporter: [email protected]

Since this commit:
https://github.com/freebsd/freebsd-src/commit/f33973f5360792835c82b3a164e0d043e8656a4a
the daily periodic e-mails do not include pf block rules from the main ruleset
anymore.

The file /etc/periodic/security/520.pfdenied runs the equivalent of 'pfctl -a
"" -sr -v -z 2>/dev/null' which now silently errors out due to:
pfctl: anchor name must not be empty

Using pfctl -a "*" would work temporarily instead, but would be recursive. Not
sure how to specify the default ruleset explicitly now.

Also, if an empty anchor name is not allowed anymore, the periodic.conf(5) man
page might need to be adjusted, as it mentions

security_status_pfdenied_additionalanchors
               (str) Space-separated list of additional anchors  whose  denied
               packets  log  entries  to  show.   The  main ruleset (i.e., the
               empty-string anchor) and any blocklistd(8) anchors, if present,
               are always shown.

-- 
You are receiving this mail because:
You are the assignee for the bug.

[Bug 292184] periodic/security/520.pfdenied - anchor name must not be empty

Reply via email to