On Thu, May 19, 2011 at 10:22:07AM +0200, Alexander Hall wrote: > On 05/18/11 23:31, Stuart Henderson wrote: > > "set skip" in PF has a slightly unexpected behaviour; rather > > than skipping by interface group, it matches on the non-numeric > > part of an interface name. > > I think the prefix match test is a common behaviour so I think you > should keep that. Example granti (note that there is no "sis" group). > > $ ifconfig sis | egrep '^sis|^ group' > sis0: flags=28843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,NOINET6> mtu 1500 > groups: a_group > sis1: flags=8842<BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 > groups: another_group > sis2: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 > groups: yet_another > > However it seems not entirely consistant since if I create a "sis" > group, it will only list the interfaces within that group. > > Hmmm, looking further, it seems ordinary rules only match on the > interface name or group as well (in pfi_kif_match()), so maybe > you're just plain right after all. :-) > > Note that the default ruleset does include a 'set skip on lo' but > that's fine since lo* interfaces are by default added to the "lo" > group. If people get bitten by this change, they could either add > an interface-name-matching group to each interface or we do that > automatically, as is done for vlan's, lo's etc. > > So in the end this looks right, so ok halex@, but bear in mind I'm > not by far authoritative in this part of the tree. >
There is a bigger problem with 'set skip on lo', it is only evaluated during load. So if you create a lo1 afterwards the set skip will not trigger. This is very annoying especially with qemu and tun interfaces. To be honest I'm not sure who will do a 'set skip on sis' or 'set skip on em'. Normaly you want to filter on your physical interfaces and not just skip them all. For pseudo-devices like lo, tun, vlan, etc. a group is created automatically. I think the very important bit is this: > Hmmm, looking further, it seems ordinary rules only match on the > interface name or group as well (in pfi_kif_match()), so maybe > you're just plain right after all. :-) set skip is currently special and works in a not so expected way so it is better to make it work like all other users of interface names and people needing 'set skip on em' should add a 'group em' line to their hostname.em* files. -- :wq Claudio
