On 26 Feb 2023, at 9:09, Dave Horsfall wrote:
FreeBSD aneurin.horsfall.org 10.4-RELEASE-p13 FreeBSD 10.4-RELEASE-p13
#0: Thu Sep 27 09:21:23 UTC 2018
[email protected]:/usr/obj/usr/src/sys/GENERIC i386
(Yeah, I'll update soon, when I find a newer box)
Seen in my daily security run output:
+block drop in quick inet from <__automatic_43ce223_0> to any [
Evaluations: 7333 Packets: 4 Bytes: 240 States: 0 ]
Obviously something created automatically (I don't have anything
faintly
resembling that in my pf.conf), but how?
set ruleset-optimization
none Disable the ruleset optimizer.
basic Enable basic ruleset optimization. This is the
default
behaviour. Basic ruleset optimization does four
things to
improve the performance of ruleset evaluations:
1. remove duplicate rules
2. remove rules that are a subset of another
rule
3. combine multiple rules into a table when
advantageous
4. re-order the rules to improve evaluation
performance
profile Uses the currently loaded ruleset as a feedback
profile to
tailor the ordering of quick rules to actual
network
traffic.
It is important to note that the ruleset optimizer will
modify the
ruleset to improve performance. A side effect of the
ruleset
modification is that per-rule accounting statistics will
have
different meanings than before. If per-rule accounting is
important
for billing purposes or whatnot, either the ruleset
optimizer should
not be used or a label field should be added to all of the
accounting
rules to act as optimization barriers.
Optimization can also be set as a command-line argument to
pfctl(8),
overriding the settings in pf.conf.
That’d be case 3.
Kristof
