On 2011/05/19 11:26, Claudio Jeker wrote: > There is a bigger problem with 'set skip on lo', it is only evaluated > during load. So if you create a lo1 afterwards the set skip will not > trigger. This is very annoying especially with qemu and tun interfaces.
Right, I noticed this during testing, and this at least deserves a mention (independent of my other diff). Changing this behaviour could be a problem though, I think it would need to be checked before state lookup, and we don't want to walk the groups of all interfaces on the system for every packet. Index: pf.conf.5 =================================================================== RCS file: /cvs/src/share/man/man5/pf.conf.5,v retrieving revision 1.493 diff -u -p -r1.493 pf.conf.5 --- pf.conf.5 2 May 2011 07:04:59 -0000 1.493 +++ pf.conf.5 19 May 2011 09:45:48 -0000 @@ -1184,6 +1184,9 @@ Packets passing in or out on such interf disabled, i.e. pf does not process them in any way. This can be useful on loopback and other virtual interfaces, when packet filtering is not desired and can have unexpected effects. +.Ar ifspec +is only evaluated when the ruleset is loaded; interfaces created +later will not be skipped. .It Ar set state-defaults The .Ar state-defaults
