2018-06-06 13:55 GMT+02:00 Stuart Henderson <[email protected]>: > On 2018-06-06, Johan Mellberg <[email protected]> wrote:
<snip> > with ext_if="re0", $ext_if expands to re0. > > If this if used in place of an address in a PF rule, re0's address is > looked up when pfctl is run and that is used. > > If "(re0)" is used instead, that lookup is done when the firewall state > is created rather than during rule load. So if you have an address which > does *not* change, using () is unnecessary overhead at runtime for every > new state which has to evaluate this. > Got it, thanks. I guessed something like that, just did not get the further expansion from interface name to IP address. <snip> > > () is only for places which take an address. "set skip" takes an "ifspec" > instead. The interface name itself is valid but "set skip on (em0)" is not. Ah! Thank you! That clears it up for me. > > I realise this is just testing but will mention just in case: you don't > usually want to set skip on the external *or* internal interface. > > Heh, yes. That was why I was just testing the syntax, I never actually loaded the file. I could have used another file to play with, but I was lazy - and the test lines have been removed. Also, it's being tested in a VM running on a laptop that is usually connected to known and sort of trusted networks so it's not terribly exposed. And it will probably be deleted when I'm done practising. Many thanks (to all who replied), /Johan
