Hello, This issue has been reported by one of our customers.
consider pf.conf comes with rules as follows: anchor { pass all anchor { block all } } We load pf.conf to kernel and (pfctl -f pf.conf) and display what got loaded: lumpy# ./pfctl -f /tmp/pf.conf lumpy# ./pfctl -sr anchor all { pass all flags S/SA anchor all { block drop all } } so far so good. Now let's flush the rules from kernel: lumpy# ./pfctl -Fr rules cleared lumpy# ./pfctl -sr lumpy# However the underscore anchors are still there: lumpy# ./pfctl -vsA _1 _1/_2 lumpy# I could not figure out any existing way to remove them, hence I'm proposing small patch, which allows me to remove those 'underscore' anchors by doing this: lumpy# ./pfctl -a _1/_2 -Fr rules cleared lumpy# ./pfctl -a _1 -Fr rules cleared lumpy# ./pfctl -vsA lumpy# Does patch below make sense? Or are there some pitfalls I'm not aware of? thanks and regards sashan --------8<---------------8<---------------8<------------------8<-------- --- a/sbin/pfctl/pfctl.c +++ b/sbin/pfctl/pfctl.c @@ -2445,7 +2445,16 @@ main(int argc, char *argv[]) warnx("anchors apply to -f, -F, -s, and -T only"); usage(); } + + /* + * we want enable administrator to flush anonymous anchors, + * thus '_' should be allowed for '-Fr' only. Also make sure + * we fail in case of option combination as follows: + * pfctl -a _1 -Fr -f /some/rules.conf + */ if (mode == O_RDWR && tblcmdopt == NULL && + (clearopt == NULL || *clearopt != 'r' || + rulesopt != NULL) && (anchoropt[0] == '_' || strstr(anchoropt, "/_") != NULL)) errx(1, "anchor names beginning with '_' cannot " "be modified from the command line");