PF Display all pf rules attached at an anchor: pfctl -a 'name/*' -sr

[ovirt]

From pfctl(8):

If the anchor name is terminated with a `*' character, the -s flag will recursively print all anchors in a brace delimited block. For example the following will print the "authpf" ruleset recursively:

  # pfctl -a 'authpf/*' -sr

So in /etc/pf.conf:
anchor "jails/*"

However:

# pfctl -a jails/website -f website.pf
#
# pfctl -a 'jails/website' -sr
pass in on epair1a inet proto tcp from 10.1.10.0/24 port = http to 10.1.10.0/24 flags S/SA keep state
pass out on epair1a inet proto tcp from 10.1.10.0/24 to 10.1.10.0/24 port = http flags S/SA keep state
#
# pfctl -a 'jails/*' -sr
#

Am I doing something wrong?

 

[ovirt]

I see the recursion printing feature of pfctl(8) has been fraught with bugs, e.g.

pfctl Recursive in anchor broken(DIOCGETRULES: Invalid argument)?

 

[joelp]

Yes I also found this issue, then I searched it and found a link about it, but it was marked as fixed in 2022.

[pf][patch] Anchor "blacklistd/*" not correctly shown in pfctl -a \* -s rules

 

[ovirt]

Yes, from a test just now it seems to have addressed only the case with pfctl -a '*' -s rules (only tried to a single level of nesting).

Neither pfctl -a 'jails/*' -s rules nor pfctl -a '*' -s nat are working for me - for the former there is no output (as per OP) and the latter gives the DIOCGETRULES error.