Maybe I'm splitting hairs here, but I don't know, so I'll ask. I have read the OpenBSD documentation and didn't find the answers I'm looking for, and digging into the code would likely leave me more confused.
When creating a firewall alias, is one of these better than the other in terms of economy of processing?
- Type: Host; Content: 192.168.1.2, 192.168.1.3
- Type: Network; Content: 192.168.1.2/31
I think for larger networks the intuitive answer is that the latter method is superior, I'm just wondering if the answer changes for a sufficiently small network.
Similarly, does the answer change if I have a mix of hosts and networks?
- Type: Host; Content: 192.168.1.1, 192.168.1.2, 192.168.1.3, 192.168.1.4
- Type: Network; Content: 192.168.1.1, 192.168.1.2/31, 192.168.1.4
Maybe a better question would be how OPNsense expands aliases like these when creating actual pf rulesets. Then a person could draw their own conclusions when deciding how to craft their aliases.
You can see the table contents from the pfTable diagnostics page. There is also network ranges (IP-IP) and negation (!IP) to play with.
From what I can tell ranges are converted into subnets and stray /32 addresses internally.
Cheers,
Franco