Using a single interface (ex. vlan) will only produce one line (as I
expect it to do) in the pfctl -s rules output.
This is probably the simplest fix. The actual packets you want to
filter
show up on the vlan interfaces anyway.
You'r right, this would be the best solution at the momemnt.
My question is: Why are pf making 4 identical rules when using
groupnames?
The rule is expanded like this:
from carpX:network to carpY:network
from carpX:network to vlanY:network
from vlanX:network to carpY:network
from vlanX:network to vlanY:network
It all makes sense now, thank you.
I actually tried using the -vg option, hoped that I might get some
interface details/id(s) attached to the rule. That would have explained
it too. But then again, it is not pf's job :)
So you can see how it happens. There would need to be some extra logic
in pfctl to suppress duplicates to avoid this.
Yes, but other programs show it the same way, tried with pftop, it will
also display the duplicates.
