I was curious about migrating my main ruleset entirely over to anchors, perhaps it is a bad idea, but was thinking that I could make everything dynamic or scheduled. When I had used Linux, I used iptables and that natively supported time of day. I want to achieve the same sort of thing, ideally, I won't need to restart pf and can update the anchors whenever I like.
With that, it seems like I might be hitting some limit on the number of anchors I can declare, but it is strange because it is with one particular anchor that even with no rules, pf fails to start.
The first error message is when the rules in the anchor were all commented out. The last 2 were with the rules in the anchor entirely removed. I wanted to see if it was reproducible or if it was hitting different errors each time. It appears to be 100% reproducible.
1. is there a limit on the number of anchors?
2. Some of my other anchors that work have much longer anchor names, so I don't think there is an issue with the anchor name. It has numbers, an underscore, and alpha characters just like all of the other anchors that work just fine.
With that, it seems like I might be hitting some limit on the number of anchors I can declare, but it is strange because it is with one particular anchor that even with no rules, pf fails to start.
Enabling pfpfctl: DIOCADDRULENV: Device busy
/etc/rc.d/pf: WARNING: Unable to load rules.pf.
Enabling pfpfctl: DIOCXCOMMIT: Invalid argument
/etc/rc.d/pf: WARNING: Unable to load rules.pf.
Enabling pfpfctl: DIOCXCOMMIT: Invalid argument
/etc/rc.d/pf: WARNING: Unable to load rules.pf.
The first error message is when the rules in the anchor were all commented out. The last 2 were with the rules in the anchor entirely removed. I wanted to see if it was reproducible or if it was hitting different errors each time. It appears to be 100% reproducible.
1. is there a limit on the number of anchors?
2. Some of my other anchors that work have much longer anchor names, so I don't think there is an issue with the anchor name. It has numbers, an underscore, and alpha characters just like all of the other anchors that work just fine.