Hello, 

I'm facing problem with loading pf.conf at system startup when more than 512 anchors are defined despite set limit anchors 1024 is set in pf.conf. When loading that rulset defined in pf.conf and "load anchor" direcvies pf prints following error: 

pfctl: DIOCADDRULE: Invalid argument. 

I think that problem was introduced in 7.2 with this change: 

[ https://github.com/openbsd/src/commit/fa90ac5c787b88bcd714c01650b5cded334d9725 | https://github.com/openbsd/src/commit/fa90ac5c787b88bcd714c01650b5cded334d9725 ] 

At startup there is limit of 512 anchors. When in one transaction there are more than default limit of 512 anchors loaded and in the same transaction the limit is increased we are getting the error as above. 

I think that my use case is valid. I use one anchor per one vpn user to load separate rules for each one of them: 

This configuration is in pf.conf: 

anchor "vpn" in on tun0 
load anchor vpn from "/etc/anchors/vpn/users.conf" 

And users.conf looks like this: 

anchor "user1" in from 172.31.210.101 { 
pass in quick log proto tcp to X.X.X.X port 8080 
pass in quick log proto tcp to Y.Y.Y.Y port { 80 443 } 
(...) 
} 
anchor "user2" in from 172.31.210.105 { 
pass in quick log proto tcp to Z.Z.Z.Z port 3306 
(...) 
} 
(...) 

I wonder how can I workaround this problem. 
-- 
Rafal Ramocki