Site Navigation

Date:      Mon, 27 Feb 2023 07:59:16 -0500
From:      mike tancsa <mike@sentex.net>
To:        Dave Horsfall <dave@horsfall.org>
Cc:        FreeBSD PF List <freebsd-pf@freebsd.org>
Subject:   Re: Where did "from <__automatic_43ce223_0> come from?
Message-ID:  <2a307fdd-e8de-7949-9f67-01b5833d6c3c@sentex.net>
In-Reply-To: <502D8886-DC95-4BC0-8681-7D117A430825@FreeBSD.org>
References:  <alpine.BSF.2.21.9999.2302260703030.91342@aneurin.horsfall.org> <502D8886-DC95-4BC0-8681-7D117A430825@FreeBSD.org>

---

next in thread | previous in thread | raw e-mail | index | archive | help

---

This is a multi-part message in MIME format.
--------------BRI7kI1uN6GUPTt1iPuK1h4w
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8bit

On 2/25/2023 3:22 PM, Kristof Provost wrote:
>
> On 26 Feb 2023, at 9:09, Dave Horsfall wrote:
>
>     FreeBSD aneurin.horsfall.org 10.4-RELEASE-p13 FreeBSD
>     10.4-RELEASE-p13 #0: Thu Sep 27 09:21:23 UTC 2018
>     root@amd64-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC i386
>
>     (Yeah, I'll update soon, when I find a newer box)
>
>     Seen in my daily security run output:
>
>     +block drop in quick inet from <__automatic_43ce223_0> to any [
>     Evaluations: 7333 Packets: 4 Bytes: 240 States: 0 ]
>
>     Obviously something created automatically (I don't have anything
>     faintly
>     resembling that in my pf.conf), but how?
>
>
It can also show up if you use 'self'

e.g

eg

block log quick from self to <rejects>
block log quick from <rejects> to self

and then view the rules with pfctl -sr it shows up as

block drop log quick inet from <__automatic_d351946e_2> to <rejects>
block drop log quick inet from <rejects> to <__automatic_d351946e_3>

     ---Mike


> |set ruleset-optimization none Disable the ruleset optimizer. basic 
> Enable basic ruleset optimization. This is the default behaviour. 
> Basic ruleset optimization does four things to improve the performance 
> of ruleset evaluations: 1. remove duplicate rules 2. remove rules that 
> are a subset of another rule 3. combine multiple rules into a table 
> when advantageous 4. re-order the rules to improve evaluation 
> performance profile Uses the currently loaded ruleset as a feedback 
> profile to tailor the ordering of quick rules to actual network 
> traffic. It is important to note that the ruleset optimizer will 
> modify the ruleset to improve performance. A side effect of the 
> ruleset modification is that per-rule accounting statistics will have 
> different meanings than before. If per-rule accounting is important 
> for billing purposes or whatnot, either the ruleset optimizer should 
> not be used or a label field should be added to all of the accounting 
> rules to act as optimization barriers. Optimization can also be set as 
> a command-line argument to pfctl(8), overriding the settings in pf.conf. |
>
> That’d be case 3.
>
> Kristof
>
--------------BRI7kI1uN6GUPTt1iPuK1h4w
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: 8bit

<html>
  <head>
    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
  </head>
  <body>
    <div class="moz-cite-prefix">On 2/25/2023 3:22 PM, Kristof Provost
      wrote:<br>
    </div>
    <blockquote type="cite"
      cite="mid:502D8886-DC95-4BC0-8681-7D117A430825@FreeBSD.org">
      <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
      <div style="font-family: sans-serif;">
        <div class="markdown" style="white-space: normal;">
          <p dir="auto">On 26 Feb 2023, at 9:09, Dave Horsfall wrote:</p>
        </div>
        <div class="plaintext" style="white-space: normal;">
          <blockquote style="margin: 0 0 5px; padding-left: 5px;
            border-left: 2px solid #136BCE; color: #136BCE;">
            <p dir="auto">FreeBSD aneurin.horsfall.org 10.4-RELEASE-p13
              FreeBSD 10.4-RELEASE-p13 #0: Thu Sep 27 09:21:23 UTC 2018
<a class="moz-txt-link-abbreviated" href="mailto:root@amd64-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC">root@amd64-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC</a> i386</p>
            <p dir="auto">(Yeah, I'll update soon, when I find a newer
              box)</p>
            <p dir="auto">Seen in my daily security run output:</p>
            <p dir="auto"> +block drop in quick inet from
              &lt;__automatic_43ce223_0&gt; to any [ Evaluations: 7333
              Packets: 4 Bytes: 240 States: 0 ]</p>
            <p dir="auto">Obviously something created automatically (I
              don't have anything faintly
              <br>
              resembling that in my pf.conf), but how?</p>
            <br>
          </blockquote>
        </div>
      </div>
    </blockquote>
    <p>It can also show up if you use 'self'</p>
    <p>e.g</p>
    <p>eg</p>
    <p>block log quick from self to &lt;rejects&gt;<br>
      block log quick from &lt;rejects&gt; to self<br>
    </p>
    <p>and then view the rules with pfctl -sr it shows up as <br>
    </p>
    <p>block drop log quick inet from &lt;__automatic_d351946e_2&gt; to
      &lt;rejects&gt;<br>
      block drop log quick inet from &lt;rejects&gt; to
      &lt;__automatic_d351946e_3&gt;<br>
    </p>
    <p>    ---Mike<br>
    </p>
    <blockquote type="cite"
      cite="mid:alpine.BSF.2.21.9999.2302260703030.91342@aneurin.horsfall.org">
      <pre class="moz-quote-pre" wrap=""></pre>
    </blockquote>
    <p></p>
    <p><br>
    </p>
    <blockquote type="cite"
      cite="mid:502D8886-DC95-4BC0-8681-7D117A430825@FreeBSD.org">
      <div style="font-family: sans-serif;">
        <div class="markdown" style="white-space: normal;">
          <pre style="margin-left: 15px; margin-right: 15px; padding: 5px; border: thin solid gray; overflow-x: auto; max-width: 90vw; background-color: #E4E4E4;"><code style="padding: 0 0.25em; background-color: #E4E4E4;"> set ruleset-optimization
       none      Disable the ruleset optimizer.
       basic     Enable basic ruleset optimization.  This is the default
                 behaviour.  Basic ruleset optimization does four things to
                 improve the performance of ruleset evaluations:

                 1.   remove duplicate rules
                 2.   remove rules that are a subset of another rule
                 3.   combine multiple rules into a table when advantageous
                 4.   re-order the rules to improve evaluation performance

       profile   Uses the currently loaded ruleset as a feedback profile to
                 tailor the ordering of quick rules to actual network
                 traffic.

       It is important to note that the ruleset optimizer will modify the
       ruleset to improve performance.  A side effect of the ruleset
       modification is that per-rule accounting statistics will have
       different meanings than before.  If per-rule accounting is important
       for billing purposes or whatnot, either the ruleset optimizer should
       not be used or a label field should be added to all of the accounting
       rules to act as optimization barriers.

       Optimization can also be set as a command-line argument to pfctl(8),
       overriding the settings in pf.conf.
</code></pre>
          <p dir="auto">That’d be case 3.</p>
          <p dir="auto">Kristof</p>
        </div>
      </div>
    </blockquote>
  </body>
</html>

--------------BRI7kI1uN6GUPTt1iPuK1h4w--

---

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?2a307fdd-e8de-7949-9f67-01b5833d6c3c>

Legal Notices | © 1995-2025 The FreeBSD Project. All rights reserved.

Contact