From owner-freebsd-questions@freebsd.org Wed Feb 26 14:24:06 2020 Return-Path: Delivered-To: freebsd-questions@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 76DC425A176 for ; Wed, 26 Feb 2020 14:24:06 +0000 (UTC) (envelope-from amutu@amutu.com) Received: from mail-qk1-x72f.google.com (mail-qk1-x72f.google.com [IPv6:2607:f8b0:4864:20::72f]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 48SJ2W70fCz3FDk for ; Wed, 26 Feb 2020 14:24:02 +0000 (UTC) (envelope-from amutu@amutu.com) Received: by mail-qk1-x72f.google.com with SMTP id f3so2770525qkh.3 for ; Wed, 26 Feb 2020 06:24:02 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amutu-com.20150623.gappssmtp.com; s=20150623; h=mime-version:from:date:message-id:subject:to; bh=v2//1xVpi+sRW3cCJFyWZJ+w6AXiPvlwJoOUHIZImKo=; b=bcaVfY9QclDJNoeNazhzhF3ktyIUmNKSs4k/QMGJyv2l8bHGW3/EX8JH1gRg6ML6Hr OAjK50msk4i2BWeKM7ojlHSEnA4mcT4/pSE8XBCOF/1JIitkw4HKsTgPtywIWLVbksFE V5BdJ8qpQBv3u434+BsY/QffEOg+pNy5sXqABDRIacXA7jmHaUzPhzL2+7LfHCQ1Oxcm oahhYpp8zgRq6Zx/BHl9MrIA9eoAWYUQVvDBl9xb5wgAGTPVI7jwc7tUj7yDuBMR4e58 YxXuXaO8E7qhK2uIxQ4oL3xL/IF8KOMEx4YNmsS2ZJcy8t/8DHcWhgpHhCwL7Htdbiii Ce8Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=v2//1xVpi+sRW3cCJFyWZJ+w6AXiPvlwJoOUHIZImKo=; b=CMyzbYcmCqdawNZk/ESo9AHKT0SrJ3yPDHX2JJQr9+MnXtFbRQp2B30d1RpefWCFch ZLLfu4aNXJQHSHh6diwC8eaqfLPzmjohq84GtLY4OTLn2eqIC6OKrw9LQVQZLQvdQDVS fTwAbkL9WVYjfbfZUryN/HwGNjuiAduzVOqmlm+lq/8U+/b7yUkeZHXwXNpN3+U3Ewot k52wJ23n/9gHqSyeg0SyHN4VtvAISRaNWA5RKz7NftjgD2duBCjZEOakbTn8aH6JNhwZ r62zTaD0HZpmefgvVALTJBUXPZrvPvF77OswzmjTnDm2maOAYpqeUQr7+NftRZozTsxb GQ5g== X-Gm-Message-State: APjAAAWrzu9Zxkmeym488+ihbtT8VBhzT+4/fEVFc8dZwn9zMJyLxoBN W6Uv+WTRSgnACsZKUuxqyIPOnxQsNPY= X-Google-Smtp-Source: APXvYqxZZ5DFWAbyR8YUrynba5RTO0zYzW4+eOA0ZlDwPr11UjOL1JGe3IMMLOsqMNrJmitm2dKlgA== X-Received: by 2002:a37:584:: with SMTP id 126mr5485903qkf.109.1582727040639; Wed, 26 Feb 2020 06:24:00 -0800 (PST) Received: from mail-qt1-f182.google.com (mail-qt1-f182.google.com. [209.85.160.182]) by smtp.gmail.com with ESMTPSA id v10sm1153897qtp.22.2020.02.26.06.23.58 for (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Wed, 26 Feb 2020 06:23:59 -0800 (PST) Received: by mail-qt1-f182.google.com with SMTP id i23so2341045qtr.5 for ; Wed, 26 Feb 2020 06:23:58 -0800 (PST) X-Received: by 2002:ac8:1308:: with SMTP id e8mr5748280qtj.242.1582727038633; Wed, 26 Feb 2020 06:23:58 -0800 (PST) MIME-Version: 1.0 From: Jov Date: Wed, 26 Feb 2020 22:23:47 +0800 X-Gmail-Original-Message-ID: Message-ID: Subject: pfctl Recursive in anchor broken(DIOCGETRULES: Invalid argument)? To: FreeBSD Mailing List X-Rspamd-Queue-Id: 48SJ2W70fCz3FDk X-Spamd-Bar: --- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=amutu-com.20150623.gappssmtp.com header.s=20150623 header.b=bcaVfY9Q; dmarc=fail reason="No valid SPF, DKIM not aligned (relaxed)" header.from=amutu.com (policy=none); spf=softfail (mx1.freebsd.org: 2607:f8b0:4864:20::72f is neither permitted nor denied by domain of amutu@amutu.com) smtp.mailfrom=amutu@amutu.com X-Spamd-Result: default: False [-3.79 / 15.00]; ARC_NA(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; R_DKIM_ALLOW(-0.20)[amutu-com.20150623.gappssmtp.com:s=20150623]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; FROM_HAS_DN(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; MIME_GOOD(-0.10)[multipart/alternative,text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-questions@freebsd.org]; R_SPF_SOFTFAIL(0.00)[~all]; RCPT_COUNT_ONE(0.00)[1]; RCVD_COUNT_THREE(0.00)[4]; IP_SCORE(-2.59)[ip: (-9.34), ipnet: 2607:f8b0::/32(-1.88), asn: 15169(-1.67), country: US(-0.05)]; TO_DN_ALL(0.00)[]; DKIM_TRACE(0.00)[amutu-com.20150623.gappssmtp.com:+]; RCVD_IN_DNSWL_NONE(0.00)[f.2.7.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.0.4.6.8.4.0.b.8.f.7.0.6.2.list.dnswl.org : 127.0.5.0]; FROM_EQ_ENVFROM(0.00)[]; SUBJECT_ENDS_QUESTION(1.00)[]; MIME_TRACE(0.00)[0:+,1:+,2:~]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]; RCVD_TLS_ALL(0.00)[]; DMARC_POLICY_SOFTFAIL(0.10)[amutu.com : No valid SPF, DKIM not aligned (relaxed), none] Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.29 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 26 Feb 2020 14:24:06 -0000 hi hackers, I use fail2ban today and find pfctl recursive anchor do not work, it report nothing(pfctl -a 'f2b/*' -sr) or get all main rule and a warning(pfctl -a '*' -sr,get DIOCGETRULES: Invalid argument). detail: # pfctl -a 'f2b' -sA > f2b/dovecot > f2b/dovecot-auth-worker > f2b/pam-generic > f2b/postfix > f2b/sshd #pfctl -a 'f2b/sshd' -sr > block drop quick proto tcp from to any port =3D 46 > #pfctl -a 'f2b/sshd/*' -sr > block drop quick proto tcp from to any port =3D 46 > pfctl -a 'f2b/*' -sr > # pfctl -a '*' -sr | less > pfctl: DIOCGETRULES: Invalid argument > scrub in all fragment reassemble > block drop in log on vtnet0 all > block drop out log on vtnet0 all > ....other main rule rules in /etc/pf.conf: > block in log on $ext_if > block out log on $ext_if > anchor "f2b/*" from man page of pfctl: > By default, recursive inline printing of anchors applies only to > unnamed anchors specified inline in the ruleset. If the > anchor > name is terminated with a =E2=80=98*=E2=80=99 character, the= -s flag will > recursively print all anchors in a brace delimited block. F= or > example the following will print the =E2=80=9Cauthpf=E2=80= =9D ruleset > recursively: > # pfctl -a 'authpf/*' -sr > To print the main ruleset recursively, specify only =E2=80= =98*=E2=80=99 as the > anchor name: > # pfctl -a '*' -sr any idea?