Anchor names beginning with '_' are reserved for internal use, but this
particular case still works:
Automatically create a table that's bound to a specific anchor:
# cat pf.conf
anchor {
pass keep state (max-src-conn-rate 100/10, overload <t>)
}
# pfctl -f pf.conf
Verify it only exists under the anonymous anchor, not the main ruleset:
# pfctl -s Anchors -v
_1
# pfctl -t t -T show
pfctl: Table does not exist
# pfctl -a _1 -t t -T show # table is empty
#
Now `t' under the anonymous anchors (internally named "_1") must not be
modified through pfctl:
# pfctl -a _1 -t t -T flush
0 addresses deleted.
Oops! The following diff fixes this but still allows read-only access:
# ./obj/pfctl -a _1 -t t -T flush
pfctl: anchor names beginning with '_' cannot be modified from the
command line
# ./obj/pfctl -a _1 -t t -T test ::1
0/1 addresses match.
OK?
Index: pfctl.8
===================================================================
RCS file: /cvs/src/sbin/pfctl/pfctl.8,v
retrieving revision 1.171
diff -u -p -r1.171 pfctl.8
--- pfctl.8 11 Aug 2017 22:30:38 -0000 1.171
+++ pfctl.8 11 Sep 2018 09:50:55 -0000
@@ -94,8 +94,9 @@ The options are as follows:
Apply flags
.Fl f ,
.Fl F ,
+.Fl s ,
and
-.Fl s
+.Fl t
only to the rules in the specified
.Ar anchor .
In addition to the main ruleset,
Index: pfctl.c
===================================================================
RCS file: /cvs/src/sbin/pfctl/pfctl.c,v
retrieving revision 1.359
diff -u -p -r1.359 pfctl.c
--- pfctl.c 8 Sep 2018 14:45:55 -0000 1.359
+++ pfctl.c 11 Sep 2018 09:50:55 -0000
@@ -2498,8 +2498,8 @@ main(int argc, char *argv[])
memset(anchorname, 0, sizeof(anchorname));
if (anchoropt != NULL) {
- if (mode == O_RDONLY && showopt == NULL) {
- warnx("anchors apply to -f, -F and -s only");
+ if (mode == O_RDONLY && showopt == NULL && tblcmdopt == NULL) {
+ warnx("anchors apply to -f, -F, -t and -s only");
usage();
}
if (mode == O_RDWR &&
