* Atanas Vladimirov <vlado@bsdbg.net> [2026-04-16 14:25]: > When you restart the VM the tapX device get deleted/destroyed and all pf > rules (related to it) are gone too. doesn't compute; that is simply not how pf works. when it comes to interfaces, there are mostly 2 relevant cases: rules bound to interfaces (or groups), i. e. "on tapX", and an interface (group) name used in place of IP addresses, i. e. "to tapX" or "to (tapX)". for rules bound to interfaces, there is an abstraction. when the interface the rule refers to goes away the rule will just not match anything, and when the interface (re-)appears it is attached again and everything works like before. for interface names resolving to IPs, the "to tapX" form is resolved at ruleset load time and won't change until you reload, with the interface name resolving to the IP(s) the interface has at that very same moment. In the "to (tapX)" form the resolution is dynamic and updated every time the interface changes. it is pretty much the same for interface groups; there was a long-standing bug with rules being bound to an interface group, say "tap", and newly arriving tapX interfaces part of that group not being seen as such by pf - but I fixed that some years ago. -- Henning Brauer, hb@bsws.de, henning@openbsd.org BS Web Services GmbH, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS. Virtual & Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http://henningbrauer.com/
No comments:
Post a Comment