On Wed, Sep 12, 2018 at 02:05:25PM +0200, Alexander Bluhm wrote: > On Tue, Sep 11, 2018 at 12:17:05PM +0200, Klemens Nanni wrote: > > Now `t' under the anonymous anchors (internally named "_1") must not be > > modified through pfctl: > > > > # pfctl -a _1 -t t -T flush > > 0 addresses deleted. > > Why do you think that this semantic is wrong? Why should tables > within an anonoumus anchor be constant? Because that's what I count as modifying reserved anchors from the command line, similar to how adding/removing rules or further anchors below it.
Thinking about it after your question made me realise that I'm not checking whether the table is used exclusively within the reserved anchor. Contrary to rules, the same table may be used in multiple places and my diff would rather naively prevent write access to them. Given the case of changing reserved anchors on the command line is already a corner case, trying to prevent users from editing automatically generated tables within them is even more so. Thanks for your feedback.
