Date: Sat, 04 Oct 2025 15:29:11 +0200 From: Kristof Provost <kp@FreeBSD.org> To: Florian Smeets <flo@smeets.xyz> Cc: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org Subject: Re: git: 9dfc5e03da50 - main - pfctl: allow tables to be defined inside anchors Message-ID: <46127FD9-D4F4-4E65-A775-A301070C9FB3@FreeBSD.org> In-Reply-To: <98515e3d-24ba-402e-b2c1-09e30cafeade@smeets.xyz> References: <202509171415.58HEFdN0010140@gitrepo.freebsd.org> <98515e3d-24ba-402e-b2c1-09e30cafeade@smeets.xyz>
next in thread | previous in thread | raw e-mail | index | archive | help
On 4 Oct 2025, at 9:45, Florian Smeets wrote: > On 17.09.25 16:15, Kristof Provost wrote: >> The branch main has been updated by kp: >> >> URL: https://cgit.FreeBSD.org/src/commit/?id=3D9dfc5e03da50d12f02c2b48= 1139acf9f089d504f >> >> commit 9dfc5e03da50d12f02c2b481139acf9f089d504f >> Author: Kristof Provost <kp@FreeBSD.org> >> AuthorDate: 2025-08-22 11:34:39 +0000 >> Commit: Kristof Provost <kp@FreeBSD.org> >> CommitDate: 2025-09-17 14:15:13 +0000 >> >> pfctl: allow tables to be defined inside anchors >> > Hi Kristof, > > this change prevents pf.conf to load on one of my servers. It works fin= e with 3d14cc82d7a8, but does not with any versions after. Just replacing= pfctl with a version before 9dfc5e03da50 makes it work again. > > Tests on latest main: > > # pfctl -f /etc/pf.conf > pfctl: failed to create table __automatic_d63f3745_0 in : Device busy > > Disabling the optimizer works around the issue. > > # pfctl -o none -f /etc/pf.conf && echo $? > 0 > > I was able to find a simple repro case. > > Take this ruleset: > > --- > ext_if=3D"igb0" > > host_ipv4=3D"192.168.0.1" > host_ipv6=3D"3333:444:222:1843::2" > mail=3D"3333:444:222:1843::25:3" > db=3D"3333:444:222:1843::3306:5" > db4=3D"3333:444:222:1843::3306:4" > web=3D"3333:444:222:1843::80:6" > amavis=3D"3333:444:222:1843::aa:4" > > rdr-anchor "rdr/*" > > block in > pass out > > # anti lockout during tests > pass in on $ext_if proto tcp to ($ext_if) port ssh > > pass in on $ext_if proto tcp to { $host_ipv4, $host_ipv6, $mail, $amavi= s, $db, $db4, $web } port ssh > --- > > It can be successfully loaded without disabling the optimizer if either= removing the 7th element from the second pass in ssh rule ($web in this = case) or disabling the 'rdr-anchor "rdr/*"' line > Thanks for the report, and especially the test case. I=E2=80=99ll add thi= s to my todo list for next week. =E2=80=94 Kristof
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?46127FD9-D4F4-4E65-A775-A301070C9FB3>