tl;dr: Simple reduced example ============================= $ echo 'anchor "blacklistd/*"' | pfctl -nvf - on OpenBSD, this outputs what I'd expect: anchor "blacklistd/*" all however on FreeBSD (tried 12-RELEASE-p10 here, and got corroboration from "Evilham" on IRC for 13.0-CURRENT), this outputs anchor "/*" all where the anchor name has been stripped out. The "/" seems to cause the issue since the following all produce the results I expect (whether useful, sensible, or not): $ echo 'anchor "blacklistd"' | pfctl -nvf - $ echo 'anchor "blacklistd*"' | pfctl -nvf - $ echo 'anchor "*"' | pfctl -nvf - Longer details/backstory: ========================= Was trying to figure out why blacklistd wasn't populating the anchor properly with blocking rules. After a morning of troubleshooting, determined that blacklistd was correctly interacting with sshd, and /usr/libexec/blacklistd-helper was getting as far as invoking `pfctl` with the (AFAIK) correct parameters, but pf didn't seem to have the anchor in place. I tracked it down to the lack of a "blacklistd/*" anchor existing. So I experimented with my pf.conf file stripping it down to the bare essentials of just a "scrub in all" and that one 'anchor "blacklistd"' entry, only to see that loading the pf.conf file still listed the only anchor as "/*" not "blacklistd/*". kevins91 on #freebsd in IRC said to create a PR and to CC kp@ so here it is.
It looks like pfctl -v is lying about anchor name but adds correct anchor. Try to issue this command to verify: echo 'anchor "blacklistd/*"' | pfctl -vf - && pfctl -sr
Okay, that makes me feel a little better that it's not *totally* borked. But the lying is still an unfortunate bug. I've updated the description of the PR to reflect that.
This issue no longer appears to be present in any supported version: $ echo 'anchor "blacklistd/*"' | pfctl -nvf - anchor "blacklistd/*" all Probably fixed in 585a5ed0bef4 ("pfctl: fix recrusive printing of anchors"). Thank you!