-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hi folks,
On 10/07/14 05:12, Giancarlo Razzolini wrote: > On 04-10-2014 11:06, Peter N. M. Hansteen wrote: >> The parentheses denote potentially dynamic addresses, and IIRC the main >> difference is that with parentheses the list will be expanded IIRC at rule >> evaluation time, while without the parentheses, the list of addresses is >> expanded at ruleset load time. > The man page talks only about interface names surrounded by parentheses. But, > from my experience, (self) work at evaluation time, just as (egress) does. No > need to reload the ruleset everytime any address change. Perhaps it would be > nice to improve the man page on that subject? > > Cheers > Thanx for your responses. A related question: I wonder how well "(self)" and "(group)" perform, compared to tables listing IP addresses? Is (self) evaluated every time for each rule using it, once per connection, in certain intervals, or only if one of the network interfaces are actually changed? Regards Harri iQEcBAEBCAAGBQJUM8QGAAoJEAqeKp5m04HL2MkH/0+8ZcIgFddahqPeItl91EK+ 3bjQmaqrwOxHpeogBTzSs+xtpNhEE+wFnJcsafDfRAzxUBX3AkVv4OF8nWuwBYqJ 6CC6EKrLPt+eeaAcaJtpip7FK6crDkKn4/GDgbbHnBkJVXMJ3xJ3JzB6WpO+lRh6 q3g+GkZDbLBexXqjy1rCohjQ1sJ1Sz0lA6fOr0t7EyWynibQbnjXFsnL67K6VRnl I+L1TWhm1XzqUQ2K6KuqFJ45OtErZvtoGERbCtI33qHEjmPvud+3STpzubd8WylT vS+QivOKUm/AO6c3HJEA2szpQZFsNzfVTJ2v+vGElkB5FeKDu+Ma7D4JFfLIdrY= =JJHI -----END PGP SIGNATURE-----
