Tommy Nevtelen <to...@nevtelen.com> wrote: > On 04/09/2020 17.24, Brian Brombacher wrote: > > > >> On Sep 4, 2020, at 10:51 AM, Tommy Nevtelen <to...@nevtelen.com> wrote: > >> > >> Hi there misc! > >> > >> Is there an external pfctl linter? we have bunch pf firwalls for which we > >> generate rules but also write some manual ones that get merged. Would be > >> nice if we could lint the rules before committed to vcs.. (yes we test > >> before they are applied on the machines as well but that is way too late > >> in a sane pipeline imho) > >> > >> Problem is that pfctl expects that all interfaces and everything is > >> correct (which makes sense for pfctl before loading). BUT it is hard to > >> run on a build machine or my laptop to get a general idea on where I'm at > >> (unless I'm missing some tricks somewhere) > >> > > Can the build machine securely request each server run pfctl -n -f > > temp_config ? > > > > That would verify it’ll load for sure on said server. > > This would not be practical for many reasons and is exactly what I > want to avoid doing hence the original question.
As a test becomes more synthetic, predicting operation in reality becomes quite poor. I get a feeling that most pf configuration errors are related to unexpected flows in/out of interfaces, and you suggest a grammer checker which is ignorant of interface configuration. It won't go well.
