Hi all,
I got two different machine which are doing firewall fail-over.
After had them upgraded to 3.8 I switch to use groups within pf.conf.
Just to note I've seen setting and interface group in the loginterface
option is parsed without error with pfctl -n while ( think correctly) is
given error without -n:
pfctl: DIOCSETSTATUSIF
Another note is the behavior of the route-to associated with groups.
Again here i firstly settled up route-to to route to an interface group
and this goes in with or without -n without any error but the system
doesn't pass packets, i suppose cause it didn't know where interface to
forward packets to, even if the group is composed by one single
interface. Just changing the route-to option to interface name instead
of interface group makes the whole thing run as expected.
This is probably the correct behavior by pf but is and probably and
incorrect behavior by pfctl which could/should note the fact that you're
routing to and interface groups (even with pfctl -vv there's no
warning/error).
Instead if pf should handle correctly the configuration with route-to
interface group then there's a bug.
Thanks for your time, best regards
