On 2013/07/23 10:31, Henning Brauer wrote: > if the optimizer was brtoken in general we would have noticed a LONG > time ago. so this is OBVIOUSLY ruleset-dependent, yet you didn't even > try to come up with a minimal ruleset that triggers the bug. or (which > is worse, but better than nothing) include your ruleset exhibiting the > problem.
Here's a contrived example for one case where the optimizer changes the meaning of the rules. Not sure whether it's considered a bug or not (and actually in this case the optimized version is more likely to be correct). $ echo 'pass quick inet to !self' | pfctl -nvf - -o none pass quick inet from any to ! 127.0.0.1 flags S/SA pass quick inet from any to ! 10.1.1.1 flags S/SA pass quick inet from any to ! 10.1.1.4 flags S/SA pass quick inet from any to ! 10.1.1.9 flags S/SA pass quick inet from any to ! 10.1.1.15 flags S/SA pass quick inet from any to ! 10.1.1.19 flags S/SA pass quick inet from any to ! 10.1.1.35 flags S/SA $ echo 'pass quick inet to !self' | pfctl -nvf - table <__automatic_0> const { 127.0.0.1 10.1.1.1 10.1.1.4 10.1.1.9 10.1.1.15 10.1.1.19 10.1.1.35 } pass quick inet from any to ! <__automatic_0> flags S/SA