On 2013/08/15 15:36, Henning Brauer wrote:
> * Stuart Henderson <st...@openbsd.org> [2013-08-15 12:28]:
> > On 2013/08/14 22:05, Philip Guenther wrote:
> > > > # Only match connections that will be forwarded (or nothing listening
> > > > on the local host)
> > > > pass in proto tcp user unknown
> > >
> > > pass in proto tcp to !self
> > >
> > > (Does this hit the optimizer issue?)
> >
> > This one is fun. It depends on how many addresses "self" has -
> > if it's a small number of addresses then the optimizer is *not* used
> > and it expands to:
> >
> > pass in proto tcp to !someaddr
> > pass in proto tcp to !otheraddr
> >
> > so it doesn't do the right thing.
> >
> > But add a few more addresses and the optimizer kicks in replacing
> > the list of addresses with a table,
> >
> > pass in proto tcp to !<__automatic_1>
> >
> > which *does* work as expected.
>
> the old macro expansion issue. pretty much unfixable.
>
> fwiw, I tend to do
> table <self> persist { self }
> and the use <self>.
>
> > I think that, as things stand, either the documentation or implementation
> > are wrong:
> >
> > "The value unknown matches packets of forwarded connections."
>
> the uid/gid-of-socket code in pf hasn't been touched in ages if ever
> after initial implementation, if it's wrong nobody noticed in many
> many many years (not impossible).
Probably nobody tried to use it... it was not obvious to me at
first reading that the word "unknown" could be used as a literal,
I thought it was just saying that for a forwarded connection we
didn't know the username (which is obvious anyway..)..
