Anchor names beginning with '_' are reserved for internal use, but this particular case still works:
Automatically create a table that's bound to a specific anchor: # cat pf.conf anchor { pass keep state (max-src-conn-rate 100/10, overload <t>) } # pfctl -f pf.conf Verify it only exists under the anonymous anchor, not the main ruleset: # pfctl -s Anchors -v _1 # pfctl -t t -T show pfctl: Table does not exist # pfctl -a _1 -t t -T show # table is empty # Now `t' under the anonymous anchors (internally named "_1") must not be modified through pfctl: # pfctl -a _1 -t t -T flush 0 addresses deleted. Oops! The following diff fixes this but still allows read-only access: # ./obj/pfctl -a _1 -t t -T flush pfctl: anchor names beginning with '_' cannot be modified from the command line # ./obj/pfctl -a _1 -t t -T test ::1 0/1 addresses match. OK? Index: pfctl.8 =================================================================== RCS file: /cvs/src/sbin/pfctl/pfctl.8,v retrieving revision 1.171 diff -u -p -r1.171 pfctl.8 --- pfctl.8 11 Aug 2017 22:30:38 -0000 1.171 +++ pfctl.8 11 Sep 2018 09:50:55 -0000 @@ -94,8 +94,9 @@ The options are as follows: Apply flags .Fl f , .Fl F , +.Fl s , and -.Fl s +.Fl t only to the rules in the specified .Ar anchor . In addition to the main ruleset, Index: pfctl.c =================================================================== RCS file: /cvs/src/sbin/pfctl/pfctl.c,v retrieving revision 1.359 diff -u -p -r1.359 pfctl.c --- pfctl.c 8 Sep 2018 14:45:55 -0000 1.359 +++ pfctl.c 11 Sep 2018 09:50:55 -0000 @@ -2498,8 +2498,8 @@ main(int argc, char *argv[]) memset(anchorname, 0, sizeof(anchorname)); if (anchoropt != NULL) { - if (mode == O_RDONLY && showopt == NULL) { - warnx("anchors apply to -f, -F and -s only"); + if (mode == O_RDONLY && showopt == NULL && tblcmdopt == NULL) { + warnx("anchors apply to -f, -F, -t and -s only"); usage(); } if (mode == O_RDWR &&