> On Sep 4, 2020, at 10:51 AM, Tommy Nevtelen <to...@nevtelen.com> wrote:
>
> Hi there misc!
>
> Is there an external pfctl linter? we have bunch pf firwalls for which we
> generate rules but also write some manual ones that get merged. Would be nice
> if we could lint the rules before committed to vcs.. (yes we test before they
> are applied on the machines as well but that is way too late in a sane
> pipeline imho)
>
> Problem is that pfctl expects that all interfaces and everything is correct
> (which makes sense for pfctl before loading). BUT it is hard to run on a
> build machine or my laptop to get a general idea on where I'm at (unless I'm
> missing some tricks somewhere)
>
Can the build machine securely request each server run pfctl -n -f temp_config ?
That would verify it’ll load for sure on said server.
> So I've been looking into parse.y in pfctl. It's been a long time since I've
> messed around with very simple yacc stuff so kind of lost.
>
> Has anyone done anything like this? Would be good to know before I sink more
> time into this (and probably fail) :)
>
> /T
>