Thanks! No, it didn't occur to me, so very appreciated. I didn't remember that you could do that form of the table command to show explicit members in a list, so that's also really helpful.
FWIW, though......I would not have expected that pf would silently drop - without any warning message or complaint - an address explicitly stated as being a member of a constant table definition. Even that address. You're right that (at least in hindsight) 0.0.0.0/mask might be treated differently - maybe it uses it as a marker for an empty slot or the like? But regardless of that, I would (a) expect that fact to be documented (if it is, I missed it), and (b) expect that the pf parser would say something as it was throwing it away (at least a warning message about "unparseable address at line XX - ignored" or the like). For it to just drop it on the floor and say nothing at all seems - well, kind of non-pf-ish. Perhaps worth a documentation patch, if not an actual code patch. Again, much thanks. /d/ > Did you take the time to display the content of the table? > 'pfctl -t unroutable_ips -Ts' should do the trick, and then you would > see that 0.0.0.0 is *not* in the table. I just ran a quick test to > verify that it is not possible to add such an "address" to a table. I > did not dig through the source code and is not an expert on the IP > stack as some devs on this list, but I do suspect that there are many > special properties attached to a null address field.
