On Sat, 7 Jun 2008, Martin Toft wrote:
On Sat, Jun 07, 2008 at 11:16:30AM +0200, Martin Toft wrote:
Just a wild guess -- maybe the pf optimizer substitutes the six
addresses with 192.168.1.0/29?
Many thanks Martin. I guess the "automatic" in the table name
should have clued me in:
pass in quick on em0 inet proto tcp from <__automatic_5b628896_0> to 10.0.0.1
port = ssh flags S/SA keep state
Reading about the ruleset optimizer now. Very cool. Thanks again!
-rick
Sorry for sending so many mails, but I just want to correct myself
before somebody else does. Your six addresses are probably not
substituted with the network above. It is more reasonable to believe
that the pf optimzer have put your six addresses into a table as hinted
i pf.conf(5):
$ man pf.conf | grep -B 8 -A 1 'combine multiple'
set ruleset-optimization
none Disable the ruleset optimizer.
basic Enable basic ruleset optimization. This is the default
behaviour. Basic ruleset optimization does four things
to improve the performance of ruleset evaluations:
1. remove duplicate rules
2. remove rules that are a subset of another rule
3. combine multiple rules into a table when advanta-
geous
Martin
