pfctl Recursive in anchor broken(DIOCGETRULES: Invalid argument)?
Kristof Provost
kp at FreeBSD.org
Mon Mar 2 09:11:00 UTC 2020
On 26 Feb 2020, at 15:23, Jov wrote:
> hi hackers,
> I use fail2ban today and find pfctl recursive anchor do not work, it
> report
> nothing(pfctl -a 'f2b/*' -sr) or get all main rule and a warning(pfctl
> -a
> '*' -sr,get DIOCGETRULES: Invalid argument).
>
> detail:
>
> # pfctl -a 'f2b' -sA
>> f2b/dovecot
>> f2b/dovecot-auth-worker
>> f2b/pam-generic
>> f2b/postfix
>> f2b/sshd
>
> #pfctl -a 'f2b/sshd' -sr
>> block drop quick proto tcp from <f2b-sshd> to any port = 46
>> #pfctl -a 'f2b/sshd/*' -sr
>> block drop quick proto tcp from <f2b-sshd> to any port = 46
>> pfctl -a 'f2b/*' -sr
>> # pfctl -a '*' -sr | less
>> pfctl: DIOCGETRULES: Invalid argument
>> scrub in all fragment reassemble
>> block drop in log on vtnet0 all
>> block drop out log on vtnet0 all
>> ....other main rule
>
>
I’ve done a little digging, and as far as I can tell this has been
broken for years.
The good news is that I believe it’s only a problem w.r.t. actually
enumerating the anchor rules.
You can still list the anchors (`pfctl -sA -v`) and then print the rules
per anchor (e.g. `pfctl -a 'f2b/sshd' -sr`)
Obviously it’s a bug and should be fixed, but your ruleset should
actually do what you told it to do.
Best regards,
Kristof
More information about the freebsd-questions
mailing list