On Fri, Feb 22, 2019 at 12:42:02PM +0100, Alexandr Nedvedicky wrote: > yes, that's what I thought. We have a kind 'service' on Solaris, which > wraps pfctl to manage firewall. If firewall is being enabled, the service > cleans up all rules (anchors). We basically dump the rulesets (pfctl -vsA) > and then traverse from leaves to root to clean it up. That's probaly how I'd approach `-F Anchors'.
> so if I understand you right, your scenario for ruleset from my > first email works as follows: > pfctl -Fr # makes the anchors _1 and _1/_2 unreferenced > # (they are not reachable from root any more) > > pfctl -FAnchors # purge all unreferenced anchors. > > the 'unreferenced' means the anchor is not reachable by any packet. > like there is no path for packet between main ruleset and that particular > anchor (and all its descendants). Yes. With the regress suite for example, the following should leave no trace of regress anchors or rules: make pfctl -f /etc/pf.conf pfctl -F Anchors > sure, I agree, adding -FAnchors options i more systemic approach, though > such change is more complex. I think I can give it a try to prototype it. Cool! I'm happy to help here.