On 2013/08/14 22:05, Philip Guenther wrote: > > # Only match connections that will be forwarded (or nothing listening > > on the local host) > > pass in proto tcp user unknown > > pass in proto tcp to !self > > (Does this hit the optimizer issue?)
This one is fun. It depends on how many addresses "self" has - if it's a small number of addresses then the optimizer is *not* used and it expands to: pass in proto tcp to !someaddr pass in proto tcp to !otheraddr so it doesn't do the right thing. But add a few more addresses and the optimizer kicks in replacing the list of addresses with a table, pass in proto tcp to !<__automatic_1> which *does* work as expected. > > In my original example, the connection is forwarded, but "user root" is > > either matched or ignored. I'm not sure which one, but either action is > > wrong if the user is supposed to be "unknown" in this situation, as the > > man page says. It explicitly states that such forwarded connections > > should not be matched unless tested with "user = unknown". > > As suggested above: if I had my way, the whole 'unknown' thing would be > removed and treated as a documentation bug. Figure out how to say what > you _mean_ instead of hiding behind this indirection! As shown above "self" is a bit tricky (it's a real surprise that adding an extra IP address to an interface can totally change how the ruleset works) so I usually try to avoid it, so I do see some use for "unknown" here (not that I've ever used it myself..) I think that, as things stand, either the documentation or implementation are wrong: "The value unknown matches packets of forwarded connections."
