Created attachment 270776 [details] Diff to fix the bug Current version of /etc/periodic/security/520.pfdenied broken fails in the loop iterating through the list of anchors - empty, blacklistd, blocklistd - because the anchor name is passed as an argument pfctl -a. For the first item, empty string, this results in syntax error. Sample output from "sh -x 520.pfdenied": + pfctl -a blacklistd -sA + pfctl -a blocklistd -sA + pfctl -a '' -sr -v -z <-- this is invalid command Proposed fix can be found in the diff and it simply changes pfctl command line syntax for an empty anchor.
Created attachment 270809 [details] git diff to fix the bug ^Triage: rebase.
Can you test this instead? diff --git a/usr.sbin/periodic/etc/security/520.pfdenied b/usr.sbin/periodic/etc/security/520.pfdenied index d87dfa0ae64c..a3cddf30d726 100755 --- a/usr.sbin/periodic/etc/security/520.pfdenied +++ b/usr.sbin/periodic/etc/security/520.pfdenied @@ -41,7 +41,7 @@ rc=0 if check_yesno_period security_status_pfdenied_enable then TMP=`mktemp -t security` - for _a in "" $(pfctl -a "blacklistd" -sA 2>/dev/null) $(pfctl -a "blocklistd" -sA 2>/dev/null) ${security_status_pfdenied_additionalanchors} + for _a in "/" $(pfctl -a "blacklistd" -sA 2>/dev/null) $(pfctl -a "blocklistd" -sA 2>/dev/null) ${security_status_pfdenied_additionalanchors} do pfctl -a "${_a}" -sr -v -z 2>/dev/null | \ nawk '{if (/^block/) {buf=$0; getline; gsub(" +"," ",$0); if ($5 > 0) print buf$0;} }' >> ${TMP}
Thanks, I can confirm this elegant fix does the job!
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=3d9cd10b2857ee7a9ec1b04457d9ec44f614d32c commit 3d9cd10b2857ee7a9ec1b04457d9ec44f614d32c Author: Kristof Provost <kp@FreeBSD.org> AuthorDate: 2026-06-03 08:49:31 +0000 Commit: Kristof Provost <kp@FreeBSD.org> CommitDate: 2026-06-03 08:52:06 +0000 pfdenied: fix checking root anchor pfctl doesn't like empty anchors (-a ''), but we can specify the root anchor as '/' too, so do that instead. PR: 295324 Tested by: Paweł Krawczyk MFC after: 1 week Sponsored by: Rubicon Communications, LLC ("Netgate") usr.sbin/periodic/etc/security/520.pfdenied | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
*** Bug 292184 has been marked as a duplicate of this bug. ***
A commit in branch stable/15 references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=b0f75189f6cbaf288173d679b6600e3250c07c3d commit b0f75189f6cbaf288173d679b6600e3250c07c3d Author: Kristof Provost <kp@FreeBSD.org> AuthorDate: 2026-06-03 08:49:31 +0000 Commit: Kristof Provost <kp@FreeBSD.org> CommitDate: 2026-06-10 07:47:49 +0000 pfdenied: fix checking root anchor pfctl doesn't like empty anchors (-a ''), but we can specify the root anchor as '/' too, so do that instead. PR: 295324 Tested by: Paweł Krawczyk MFC after: 1 week Sponsored by: Rubicon Communications, LLC ("Netgate") (cherry picked from commit 3d9cd10b2857ee7a9ec1b04457d9ec44f614d32c) usr.sbin/periodic/etc/security/520.pfdenied | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
A commit in branch stable/14 references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=4df539cc3864f45e980774ac77238e0781b930d7 commit 4df539cc3864f45e980774ac77238e0781b930d7 Author: Kristof Provost <kp@FreeBSD.org> AuthorDate: 2026-06-03 08:49:31 +0000 Commit: Kristof Provost <kp@FreeBSD.org> CommitDate: 2026-06-10 07:49:01 +0000 pfdenied: fix checking root anchor pfctl doesn't like empty anchors (-a ''), but we can specify the root anchor as '/' too, so do that instead. PR: 295324 Tested by: Paweł Krawczyk MFC after: 1 week Sponsored by: Rubicon Communications, LLC ("Netgate") (cherry picked from commit 3d9cd10b2857ee7a9ec1b04457d9ec44f614d32c) usr.sbin/periodic/etc/security/520.pfdenied | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)