pf question

[Giorgos Keramidas]

On 2005-03-08 06:49, "J.D. Bronson" <jbronson at wixb.com> wrote:
> First my ifconfig -A:
>
> # ifconfig -A
> bge0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
>         address: xxxxxxxxxxxx
>         media: Ethernet autoselect (100baseTX full-duplex)
>         status: active
>         inet 192.168.82.1 netmask 0xffffff00 broadcast 192.168.82.255
>         inet 192.168.82.2 netmask 0xffffffff broadcast 192.168.82.2
>
>
> I use a rule in the firewall such as this:
> # macros
> int_if = "bge0"
>
> pass in on $int_if from $int_if:network to any modulate state
> pass out on $int_if from any to $int_if:network modulate state
>
> This expands to:
> pass in on bge0 inet from 192.168.82.0/24 to any modulate state
> pass in on bge0 inet from 192.168.82.2 to any modulate state
> pass out on bge0 inet from any to 192.168.82.0/24 modulate state
> pass out on bge0 inet from any to 192.168.82.2 modulate state
>
> Why does it pick the alias IP on the nic and not the actual IP?
> Is this intended by design?

Because the first IP address has a netmask with zero bits, and pf is
smart enough to recognize this as part of a subnet/network (this is,
after all the meaning of the :network modifier).  The alias IP has a
netmask of 0xffffffff, which may match only that alias address.