duplicate rule on :broadcast

Jon Simola jsimola at gmail.com
Thu Sep 6 15:16:42 PDT 2007


On 9/6/07, Gergely CZUCZY <phoemix at harmless.hu> wrote:
> Hello
>
> I've got a configuration when i've got 2 IPs on em0
> from the very same subnet. This means, they have the
> same broadcast address.

ifconfig(8) suggests:
     alias   Establish an additional network address for this interface.  This
             is sometimes useful when changing network numbers, and one wishes
             to accept packets addressed to the old interface.  If the address
             is on the same subnet as the first network address for this
             interface, a non-conflicting netmask must be given.  Usually
             0xffffffff is most appropriate.

> Is it really neccessery to have duplicates when the
> boradcast addresses of the assigned addresses are the
> very same?

pfctl doesn't check to see if rules created by expansion make sense or duplicate
other rules. Doing so would increase the complexity, and duplicate rules end up
getting skipped anyways. You may want to check out the -o option for optimizing
the running ruleset, or you can rewrite your rule to avoid using :broadcast

if_inet = "int0"
table <if_inet> persist {$if_inet}
block in quick on $if_inet from any to !<if_inet> port 137 label
"broadcast deny"

That has the same effect (block stuff that isn't explicitly addressed
to me), and
doesn't expand to more than a single rule.

-- 
Jon


More information about the freebsd-pf mailing list