On 2011/05/19 10:22, Alexander Hall wrote: > Hmmm, looking further, it seems ordinary rules only match on the > interface name or group as well (in pfi_kif_match()), so maybe > you're just plain right after all. :-)
Yes, this is the main problem imo. Current 'set skip' handling pre-dates interface groups and is different to everything else in PF. Because it works as expected for the created-by-default groups like lo, gre, vlan, mpe, ..., the user tends to assume that it does actually support groups. > Note that the default ruleset does include a 'set skip on lo' but > that's fine since lo* interfaces are by default added to the "lo" > group. > > If people get bitten by this change, they could either add > an interface-name-matching group to each interface or we do that > automatically, as is done for vlan's, lo's etc. What does anyone else think about this (making em0 a member of em automatically, etc.)? I don't think it's really all that important, there are usually better grouping criteria than "what driver supports the device" and people have to change their ruleset this release anyway.
