Date: Wed, 26 Feb 2020 22:23:47 +0800 From: Jov <amutu@amutu.com> To: FreeBSD Mailing List <freebsd-questions@freebsd.org> Subject: pfctl Recursive in anchor broken(DIOCGETRULES: Invalid argument)? Message-ID: <CADyrUxPEp2Jx9bTmyc-wHff8NX_BYa9Sk0cA-zDe4WWK%2BmcKoQ@mail.gmail.com>
next in thread | raw e-mail | index | archive | help
hi hackers, I use fail2ban today and find pfctl recursive anchor do not work, it report nothing(pfctl -a 'f2b/*' -sr) or get all main rule and a warning(pfctl -a '*' -sr,get DIOCGETRULES: Invalid argument). detail: # pfctl -a 'f2b' -sA > f2b/dovecot > f2b/dovecot-auth-worker > f2b/pam-generic > f2b/postfix > f2b/sshd #pfctl -a 'f2b/sshd' -sr > block drop quick proto tcp from <f2b-sshd> to any port =3D 46 > #pfctl -a 'f2b/sshd/*' -sr > block drop quick proto tcp from <f2b-sshd> to any port =3D 46 > pfctl -a 'f2b/*' -sr > # pfctl -a '*' -sr | less > pfctl: DIOCGETRULES: Invalid argument > scrub in all fragment reassemble > block drop in log on vtnet0 all > block drop out log on vtnet0 all > ....other main rule rules in /etc/pf.conf: > block in log on $ext_if > block out log on $ext_if > anchor "f2b/*" from man page of pfctl: > By default, recursive inline printing of anchors applies only to > unnamed anchors specified inline in the ruleset. If the > anchor > name is terminated with a =E2=80=98*=E2=80=99 character, the= -s flag will > recursively print all anchors in a brace delimited block. F= or > example the following will print the =E2=80=9Cauthpf=E2=80= =9D ruleset > recursively: > # pfctl -a 'authpf/*' -sr > To print the main ruleset recursively, specify only =E2=80= =98*=E2=80=99 as the > anchor name: > # pfctl -a '*' -sr any idea?
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CADyrUxPEp2Jx9bTmyc-wHff8NX_BYa9Sk0cA-zDe4WWK%2BmcKoQ>