> On Sep 4, 2020, at 11:28 AM, Brian Brombacher <br...@planetunix.net> wrote:
>
>
>
>> On Sep 4, 2020, at 10:51 AM, Tommy Nevtelen <to...@nevtelen.com> wrote:
>>
>> Hi there misc!
>>
>> Is there an external pfctl linter? we have bunch pf firwalls for which we
>> generate rules but also write some manual ones that get merged. Would be
>> nice if we could lint the rules before committed to vcs.. (yes we test
>> before they are applied on the machines as well but that is way too late in
>> a sane pipeline imho)
Sane pipeline... :)
Developer machine: can that securely run pfctl -n? Linter is great... but
there’s a ton more involved.
>>
>> Problem is that pfctl expects that all interfaces and everything is correct
>> (which makes sense for pfctl before loading). BUT it is hard to run on a
>> build machine or my laptop to get a general idea on where I'm at (unless I'm
>> missing some tricks somewhere)
>>
>
> Can the build machine securely request each server run pfctl -n -f
> temp_config ?
>
> That would verify it’ll load for sure on said server.
>
>> So I've been looking into parse.y in pfctl. It's been a long time since I've
>> messed around with very simple yacc stuff so kind of lost.
>>
>> Has anyone done anything like this? Would be good to know before I sink more
>> time into this (and probably fail) :)
>>
>> /T
>>
>