Download raw body.
disturbing pfctl behavior in 7.8
Recently upgraded a bunch of OpenBSD servers to 7.8 with all (6) official patches; a few bare-metal, the rest VMs, unfortunately all amd64. I now see the following unexpected and not previously observed behavior, whenever pfctl has a negative outcome relating to a PF table -- such as non-existent table or no match found -- it spits out an additional seven lines of errors: /root:36# pfctl -t nosuch -Ts pfctl: Table does not exist pfctl: DIOCSETLIMIT (states): Permission denied pfctl: DIOCSETLIMIT (src-nodes): Permission denied pfctl: DIOCSETLIMIT (frags): Permission denied pfctl: DIOCSETLIMIT (tables): Permission denied pfctl: DIOCSETLIMIT (table-entries): Permission denied pfctl: DIOCSETLIMIT (pktdelay-pkts): Permission denied pfctl: DIOCSETLIMIT (anchors): Permission denied /root:41# pfctl -t friends -Tt 1.2.3.4 0/1 addresses match. pfctl: DIOCSETLIMIT (states): Permission denied pfctl: DIOCSETLIMIT (src-nodes): Permission denied pfctl: DIOCSETLIMIT (frags): Permission denied pfctl: DIOCSETLIMIT (tables): Permission denied pfctl: DIOCSETLIMIT (table-entries): Permission denied pfctl: DIOCSETLIMIT (pktdelay-pkts): Permission denied pfctl: DIOCSETLIMIT (anchors): Permission denied If this is a known issue, is there a patch I can apply? Otherwise, what additional diagnostics can I provide? Thank you, -Jacob.
disturbing pfctl behavior in 7.8