On Fri, Feb 22, 2019 at 12:42:02PM +0100, Alexandr Nedvedicky wrote:
> yes, that's what I thought. We have a kind 'service' on Solaris, which
> wraps pfctl to manage firewall. If firewall is being enabled, the service
> cleans up all rules (anchors). We basically dump the rulesets (pfctl -vsA)
> and then traverse from leaves to root to clean it up.
That's probaly how I'd approach `-F Anchors'.
> so if I understand you right, your scenario for ruleset from my
> first email works as follows:
> pfctl -Fr # makes the anchors _1 and _1/_2 unreferenced
> # (they are not reachable from root any more)
>
> pfctl -FAnchors # purge all unreferenced anchors.
>
> the 'unreferenced' means the anchor is not reachable by any packet.
> like there is no path for packet between main ruleset and that particular
> anchor (and all its descendants).
Yes. With the regress suite for example, the following should leave no
trace of regress anchors or rules:
make
pfctl -f /etc/pf.conf
pfctl -F Anchors
> sure, I agree, adding -FAnchors options i more systemic approach, though
> such change is more complex. I think I can give it a try to prototype it.
Cool! I'm happy to help here.
