Add detailed PF rules error debugging

blink-so[bot] · f0ssel · blink-so[bot] · commit 0fa48f5c0cc7 · 2025-09-13T18:03:29.000Z
- Capture and log pfctl command output on failure
- Log the actual PF rules content for debugging
- Helps diagnose PF rules syntax or permission issues
- Should reveal why PF rules are failing to load

Co-authored-by: f0ssel &lt;19379394+f0ssel@users.noreply.github.com&gt;
diff --git a/namespace/macos.go b/namespace/macos.go
@@ -263,9 +263,15 @@ func (m *MacOSNetJail) setupPFRules() error {
 
 	// Load rules into anchor
 	cmd := exec.Command("pfctl", "-a", pfAnchorName, "-f", m.pfRulesPath)
-	err = cmd.Run()
+	output, err := cmd.CombinedOutput()
 	if err != nil {
-		return fmt.Errorf("failed to load PF rules: %v", err)
+		m.logger.Error("Failed to load PF rules", "error", err, "output", string(output), "rules_file", m.pfRulesPath)
+		// Also log the actual rules content for debugging
+		rulesContent, readErr := os.ReadFile(m.pfRulesPath)
+		if readErr == nil {
+			m.logger.Debug("PF rules content", "rules", string(rulesContent))
+		}
+		return fmt.Errorf("failed to load PF rules: %v, output: %s", err, string(output))
 	}
 
 	// Enable PF if not already enabled
@@ -303,7 +309,7 @@ anchor "%s"
 
 	// Verify that rules were loaded correctly
 	cmd = exec.Command("pfctl", "-a", pfAnchorName, "-s", "rules")
-	output, err := cmd.Output()
+	output, err = cmd.Output()
 	if err == nil && len(output) > 0 {
 		// Rules loaded successfully
 		return nil
