If this was to be implemented, it might be more appropriate to show in the
runtime state (pfctl -si) than the rule output.
I don't know. May be may be not. But I got cut with this. I had a
sysadmin do changes in a pretty big multi interface box and he use the
set skip to test new rules on individual interface as I guess it started
to be to big, I can't explain. But in any case, I started to see pass
that some strange things that shouldn't be there and looking at the
pfctl -sr at work, I never saw anything that would explain it.
After many hours of work, I thought that may be there might be a bug
somehow. Look in that directions and a few more days pass.
Someone time the most obvious is not what jump at you and in the end, I
started to look in more details to the rules instead of the pfctl -sr
until I saw the set skip in there.
So, in the end, it is very stupid that I agree with 100%!
No one else to blame then the sysadmin and myself to assume that pfctl
-sr would show me what's active at the time.
I felt into that trap and that's why I was asking if it wouldn't make
sense to see what's actually active when you are looking at the live
configuration running on the system.
I took for granted that looking at the live rules was telling me that's
what is actively filter. Believe me, I will not felt into that trap
again, but I thought after a many hours that I could have saved, that
may be it might be very useful for someone else may be.
I just thought that if you look at the live configuration, it should
show the life configuration.
That was just my take on it after a real life trap that I don't have
anyone to blame then myself for not looking at the details configuration
line by line sooner.
In any case, thanks for the feedback. That's a mistake I will not repeat
again! (;>
Daniel
