Index | Thread | Search

From:
Christian Schulte <cs@schulte.it>
Subject:
Re: fix pfctl -nvf output for newly added limiters
To:
tech@openbsd.org
Date:
Sat, 31 Jan 2026 08:02:47 +0100

Download raw body.

Thread 
Am 29.01.2026 um 01:40 schrieb Alexandr Nedvedicky:
> Hello,
> 
> the issue has been reported off-list by Kristof Provost from FreeBSD.
> 
> pfctl -nvf should produce output which can be fed back to pfctl(8).
> It is not case for newly added limiters. Consider rules as follows:
> 
> source limiter "test" id 1 entries 5 \
>    limit 1 rate 100/10 \
>    inet mask 32
> 
> pass out all
> block in all
> pass in quick proto tcp from any to self port 22 source limiter "test" (no-match)
> block return
> 
> running pfctl -nvf on ruleset above gives output as follows on current:
> 
> source limiter test id 1 limit 5 states 1 rate 100/10
> pass out all flags S/SA
> block drop in all
> pass in quick inet proto tcp from any to 127.0.0.1 port = 22 flags S/SA source limiter id 1 (no-match)
> pass in quick inet proto tcp from any to 192.168.2.61 port = 22 flags S/SA source limiter id 1 (no-match)
> pass in quick inet proto tcp from any to 172.16.1.1 port = 22 flags S/SA source limiter id 1 (no-match)
> pass in quick inet proto tcp from any to 172.27.232.115 port = 22 flags S/SA source limiter id 1 (no-match)
> pass in quick inet6 proto tcp from any to ::1 port = 22 flags S/SA source limiter id 1 (no-match)
> pass in quick on lo0 inet6 proto tcp from any to fe80::1 port = 22 flags S/SA source limiter id 1 (no-match)
> block return all
> 
> the definition of limiter above does not match grammar expected
> by parser. The required modifications are:
> 	s/limit/entries
> 	s/states/limit
> 
> The issue has been reported by Kristof.
> 
> The diff below also makes pfctl(8) to print limiter name instead of id
> if particular rule refers to limiter.
> 
> Diff below fixes the output to:
> 
> source limiter "test" id 1 entries 5 limit 1 rate 100/10
> pass out all flags S/SA
> block drop in all
> pass in quick inet proto tcp from any to 127.0.0.1 port = 22 flags S/SA source limiter test (no-match)
> pass in quick inet proto tcp from any to 192.168.2.61 port = 22 flags S/SA source limiter test (no-match)
> pass in quick inet proto tcp from any to 172.16.1.1 port = 22 flags S/SA source limiter test (no-match)
> pass in quick inet proto tcp from any to 172.27.232.115 port = 22 flags S/SA source limiter test (no-match)
> pass in quick inet6 proto tcp from any to ::1 port = 22 flags S/SA source limiter test (no-match)
> pass in quick on lo0 inet6 proto tcp from any to fe80::1 port = 22 flags S/SA source limiter test (no-match)
> block return all
> 

Not sure but I think it would be better to add quotes around the limiter
name. The lexer already is confusing enough. Although it is perfectly
valid to output

source limiter test

I'd prefer

source limiter "test".

Just my 2cents...

Regards,
-- 
Christian