Text only | Text with Images

OPNsense Forum

English Forums => Development and Code Review => Topic started by: iMac-ant on September 18, 2020, 09:28:57 AM

Title: Cardinality of ruleset
Post by: iMac-ant on September 18, 2020, 09:28:57 AM
Good morning to all, I have a question:

the number of rules in /tmp/rules.debug (starting from antispoof lof for <interface>)  is grather than the number of rules obtained through pfctl -s rules. Why?

I'm just considering the default ruleset.
Title: Re: Cardinality of ruleset
Post by: franco on September 18, 2020, 09:33:27 AM
The generated rules in /tmp/rules.debug are a "proposal" to pfctl, the ruleset obtained from pfctl is the one that is already cleaned up somewhat regardless of optimization state.


Cheers,
Franco
Title: Re: Cardinality of ruleset
Post by: iMac-ant on September 18, 2020, 09:43:58 AM
What is the cleaning criteria of pfctl? Is there any anomaly, suach as dependency anomaly o redundancy anonmaly?
Title: Re: Cardinality of ruleset
Post by: franco on September 18, 2020, 09:44:23 AM
You will have to consult the source code for this to be sure.


Cheers,
Franco
Title: Re: Cardinality of ruleset
Post by: iMac-ant on September 18, 2020, 09:51:01 AM
Thank you very mych.

Antonio
Text only | Text with Images