Date: Thu, 6 Sep 2007 15:16:41 -0700 From: "Jon Simola" <jsimola@gmail.com> To: "Gergely CZUCZY" <phoemix@harmless.hu> Cc: freebsd-pf@freebsd.org Subject: Re: duplicate rule on :broadcast Message-ID: <8eea04080709061516k5a35e15qdf85a5f3be34af7b@mail.gmail.com> In-Reply-To: <20070906203936.GA7448@harmless.hu> References: <20070906203936.GA7448@harmless.hu>
next in thread | previous in thread | raw e-mail | index | archive | help
On 9/6/07, Gergely CZUCZY <phoemix@harmless.hu> wrote: > Hello > > I've got a configuration when i've got 2 IPs on em0 > from the very same subnet. This means, they have the > same broadcast address. ifconfig(8) suggests: alias Establish an additional network address for this interface. This is sometimes useful when changing network numbers, and one wishes to accept packets addressed to the old interface. If the address is on the same subnet as the first network address for this interface, a non-conflicting netmask must be given. Usually 0xffffffff is most appropriate. > Is it really neccessery to have duplicates when the > boradcast addresses of the assigned addresses are the > very same? pfctl doesn't check to see if rules created by expansion make sense or duplicate other rules. Doing so would increase the complexity, and duplicate rules end up getting skipped anyways. You may want to check out the -o option for optimizing the running ruleset, or you can rewrite your rule to avoid using :broadcast if_inet = "int0" table <if_inet> persist {$if_inet} block in quick on $if_inet from any to !<if_inet> port 137 label "broadcast deny" That has the same effect (block stuff that isn't explicitly addressed to me), and doesn't expand to more than a single rule. -- Jon
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?8eea04080709061516k5a35e15qdf85a5f3be34af7b>