Harald Dunkel <ha...@afaics.de> writes:
> Pf question about parentheses around "self": Does "(self)"
> work similar to "(egress)"? pf.conf(5) describes parentheses
> around interface names and interface groups, but "self" is
> not mentioned:
The parentheses denote potentially dynamic addresses, and IIRC the
main difference is that with parentheses the list will be expanded
IIRC at rule evaluation time, while without the parentheses, the list
of addresses is expanded at ruleset load time.
An easy way to demonstrate this is to write a ruleset like this
$ cat pfmyself
table <myself> persist counters { self }
block
pass from self
which expands to something like
$ sudo pfctl -vnf pfmyself
table <myself> persist counters { ::1 fe80::1 127.0.0.1 192.168.1.144 }
block drop all
pass inet6 from ::1 to any flags S/SA
pass on lo0 inet6 from fe80::1 to any flags S/SA
pass inet from 127.0.0.1 to any flags S/SA
pass inet from 192.168.1.144 to any flags S/SA
now change the final line to read
pass from (self)
and you get
$ sudo pfctl -vnf pfmyself
table <myself> persist counters { ::1 fe80::1 127.0.0.1 192.168.1.144 }
block drop all
pass from (self) to any flags S/SA
- P
--
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/
"Remember to set the evil bit on all malicious network traffic"
delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
