pfctl(8) and securelevel(7)

Zbyszek Żółkiewski Thu, 27 Sep 2018 05:07:25 -0700

Hi list,

At securelevel(7) set to 2, NAT rules and filter cannot be altered, however as 
stated in pfctl.conf(5) manual - it is possible to modify tables by 
adding/deleting entries
(https://man.openbsd.org/pf.conf.5#TABLES)


and this works fine. Question: why it is not possible to list content of 
tables?:

kern.securelevel=2
pfctl -t whitelist -T show
pfctl: Operation not permitted.

while:
kern.securelevel=1
pfctl -t whitelist -T show
   192.168.1.7
   192.168.1.20
   192.168.1.25

and more odd, adding -v flag allow list it anyway:

pfctl -t whitelist -v -T show
   192.168.1.7
        Cleared:     Thu Sep 27 13:47:58 2018
   192.168.1.20
        Cleared:     Thu Sep 27 13:47:58 2018 

I am bit confused, this is bug or i am missing something ?

_
Zbyszek Żółkiewski

pfctl(8) and securelevel(7)

Reply via email to