From: Jacob Leifman <jacobl@bitwise.net>
Subject: disturbing pfctl behavior in 7.8
To: tech@openbsd.org
Date: Sat, 22 Nov 2025 18:07:08 -0500

Recently upgraded a bunch of OpenBSD servers to 7.8 with all (6) 
official patches; a few bare-metal, the rest VMs, unfortunately all amd64.

I now see the following unexpected and not previously observed behavior, 
whenever pfctl has a negative outcome relating to a PF table -- such as 
non-existent table or no match found -- it spits out an additional seven 
lines of errors:

/root:36# pfctl -t nosuch -Ts
pfctl: Table does not exist
pfctl: DIOCSETLIMIT (states): Permission denied
pfctl: DIOCSETLIMIT (src-nodes): Permission denied
pfctl: DIOCSETLIMIT (frags): Permission denied
pfctl: DIOCSETLIMIT (tables): Permission denied
pfctl: DIOCSETLIMIT (table-entries): Permission denied
pfctl: DIOCSETLIMIT (pktdelay-pkts): Permission denied
pfctl: DIOCSETLIMIT (anchors): Permission denied

/root:41# pfctl -t friends -Tt 1.2.3.4
0/1 addresses match.
pfctl: DIOCSETLIMIT (states): Permission denied
pfctl: DIOCSETLIMIT (src-nodes): Permission denied
pfctl: DIOCSETLIMIT (frags): Permission denied
pfctl: DIOCSETLIMIT (tables): Permission denied
pfctl: DIOCSETLIMIT (table-entries): Permission denied
pfctl: DIOCSETLIMIT (pktdelay-pkts): Permission denied
pfctl: DIOCSETLIMIT (anchors): Permission denied

If this is a known issue, is there a patch I can apply? Otherwise, what 
additional diagnostics can I provide?

Thank you,

-Jacob.