I've been using pf for years and really like it. I accidentally discovered some undesirable behavior from the rule parser that caused some rules to be skipped. This has happened to me twice and there was much hair pulling.
The short version is rules starting with # but ending in \ get treated as a multi-line comment instead of a single-line comment and it has the risk of silently ignoring a wanted rule immediately below. This does not match the behavior I'd expect, for example a line starting with # is entirely ignored in /bin/sh: # echo this is a comment \ echo this is not a comment \ or is it? # sh test.sh this is not a comment or is it? But in pf.conf: #pass in on $int_if proto tcp from 1.1.1.1 \ pass in on $int_if proto tcp from 1.2.3.4 \ to any port 12345 # pfctl -f /etc/pf.conf # pfctl -sr | grep 12345 # If you add a line between then: #pass in on $int_if proto tcp from 1.1.1.1 \ pass in on $int_if proto tcp from 1.2.3.4 \ to any port 12345 # pfctl -f /etc/pf.conf # pfctl -sr | grep 12345 pass in on re2 inet proto tcp from 1.2.3.4 to any port = 12345 flags S/SA keep state (if-bound) I try to keep my firewall rules less than 80 chars in case I need to edit them on a dumb terminal. Sometimes I end up duplicating a continued line to make changes to an alternate copy and comment out the original, but if the newly commented out line ends in a backslash, my intended replacement is ignored. I think pfctl should act like sh and ignore a line entirely if it begins with a comment. Thanks for your consideration.
