On Sat, Sep 29, 2018 at 06:17:05PM +0200, Fabian Mueller-Knapp wrote:
> I have the following pf.conf:
>
> anchor quick {
> pass
> }
> block
>
> # pfctl -sr
> anchor quick all {
> pass all flags S/SA
> }
> block drop all
>
> Because of the 'quick' i assumed, that 'block' is never reached, but it
> is since 6.2.
Indeed, `pfctl -s rules -v' clearly shows how every packet goes through
all three rules.
> man pf.conf(5) states:
>
> "If the anchor itself is marked with the quick option, ruleset
> evaluation will terminate when the anchor is exited if the packet is
> matched by any rule within the anchor."
>
> I tested with fresh installs of 6.1, 6.2, 6.3 and current via vmd and
> 6.1 does in fact behave as i would accept (that is, all packets
> pass). From 6.2 on however, all packets are dropped.
Thanks for your report.
> Do i misread the manpage somehow?
No, this is a bug.
