From: Alexandr Nedvedicky <sashan@fastmail.net>
Subject: Re: pfctl: fix resetting limits
To: Carsten Beckmann <carsten_beckmann@genua.de>
Cc: "tech@openbsd.org" <tech@openbsd.org>
Date: Tue, 25 Nov 2025 01:13:19 +0100

Hello,

On Mon, Nov 24, 2025 at 01:21:10PM +0000, Carsten Beckmann wrote:
</snip>
> 
> I agree, my change would lead to an error in that situation. In
> general this is caused by a bigger issue with pf/pfctl though: Even if
> you have two perfectly valid configurations for pf you might not be
> able to switch between them without an intermediary step like 'pfctl -F
> rules'. For example, try this:
> 
> # echo 'set limit anchors 1024' > anchors.conf
> # for i in `seq 640`; do echo "anchor \"test_$i\"" >> anchors.conf; done
> # echo 'set limit anchors 512' > lower-limit.conf
> # echo 'anchor "test_zero"' >> lower-limit.conf
> # pfctl -f anchors.conf
> # echo $?
> 0
> # pfctl -f lower-limit.conf
> pfctl: Current pool size exceeds requested anchors limit 512
> pfctl: Current pool size exceeds requested anchors limit 512
> # echo $?
> 1

    yes  one indeed needs to do pfctl -Fr/pfctl -Fa to drop
    all rules when limits are to be lowered. pfctl can not
    shrink the allocation pool when number of objects currently
    allocated exceeds the new limit the user is about to set.

    I think  'pfctl -FReset' so it will restore built-in
    defaults is desired. currently 'pfctl -FaR' does not
    work as expected. I think the desired behavior for
    'pfctl -FaR' is to drop all rules and restore built-in
    defaults.

thanks and
regards
sashan