On 2015-04-27, Brian S. Vangsgaard <[email protected]> wrote: > When using interface groupnames in my pf.conf, I see the same rule 4 > times when doing a pfctl -s rules. > > The interface group i'm using, have a vlan and carp member. > > Ex. > pass in on groupA from groupA:network to groupB:network tag A_TO_B
It's expanding the address of each member of groupA (which you have as both carp and vlan in the same subnet), and groupB (same). > Will produce something like (pfctl -s rules); > > ... > pass in on groupA inet from 1.2.3.0/24 to 5.6.7.0/24 flags S/SA keep > state (pflow) tag A_TO_B > pass in on groupA inet from 1.2.3.0/24 to 5.6.7.0/24 flags S/SA keep > state (pflow) tag A_TO_B > pass in on groupA inet from 1.2.3.0/24 to 5.6.7.0/24 flags S/SA keep > state (pflow) tag A_TO_B > pass in on groupA inet from 1.2.3.0/24 to 5.6.7.0/24 flags S/SA keep > state (pflow) tag A_TO_B > > Using a single interface (ex. vlan) will only produce one line (as I > expect it to do) in the pfctl -s rules output. This is probably the simplest fix. The actual packets you want to filter show up on the vlan interfaces anyway. > My question is: Why are pf making 4 identical rules when using > groupnames? The rule is expanded like this: from carpX:network to carpY:network from carpX:network to vlanY:network from vlanX:network to carpY:network from vlanX:network to vlanY:network So you can see how it happens. There would need to be some extra logic in pfctl to suppress duplicates to avoid this.
