On 04/09/2020 17.24, Brian Brombacher wrote:
On Sep 4, 2020, at 10:51 AM, Tommy Nevtelen <[email protected]> wrote:
Hi there misc!
Is there an external pfctl linter? we have bunch pf firwalls for which we
generate rules but also write some manual ones that get merged. Would be nice
if we could lint the rules before committed to vcs.. (yes we test before they
are applied on the machines as well but that is way too late in a sane pipeline
imho)
Problem is that pfctl expects that all interfaces and everything is correct
(which makes sense for pfctl before loading). BUT it is hard to run on a build
machine or my laptop to get a general idea on where I'm at (unless I'm missing
some tricks somewhere)
Can the build machine securely request each server run pfctl -n -f temp_config ?
That would verify it’ll load for sure on said server.
This would not be practical for many reasons and is exactly what I want
to avoid doing hence the original question.
/T
