On 2013/07/23 10:31, Henning Brauer wrote:
> if the optimizer was brtoken in general we would have noticed a LONG
> time ago. so this is OBVIOUSLY ruleset-dependent, yet you didn't even
> try to come up with a minimal ruleset that triggers the bug. or (which
> is worse, but better than nothing) include your ruleset exhibiting the
> problem.
Here's a contrived example for one case where the optimizer changes the
meaning of the rules. Not sure whether it's considered a bug or not
(and actually in this case the optimized version is more likely to be
correct).
$ echo 'pass quick inet to !self' | pfctl -nvf - -o none
pass quick inet from any to ! 127.0.0.1 flags S/SA
pass quick inet from any to ! 10.1.1.1 flags S/SA
pass quick inet from any to ! 10.1.1.4 flags S/SA
pass quick inet from any to ! 10.1.1.9 flags S/SA
pass quick inet from any to ! 10.1.1.15 flags S/SA
pass quick inet from any to ! 10.1.1.19 flags S/SA
pass quick inet from any to ! 10.1.1.35 flags S/SA
$ echo 'pass quick inet to !self' | pfctl -nvf -
table <__automatic_0> const { 127.0.0.1 10.1.1.1 10.1.1.4 10.1.1.9 10.1.1.15
10.1.1.19 10.1.1.35 }
pass quick inet from any to ! <__automatic_0> flags S/SA
