Re: Where did "from <__automatic_43ce223_0> come from?

In reply to: Kristof Provost : "Re: Where did "from <__automatic_43ce223_0> come from?"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: mike tancsa <mike_at_sentex.net>
Date: Mon, 27 Feb 2023 12:59:16 UTC

On 2/25/2023 3:22 PM, Kristof Provost wrote:
>
> On 26 Feb 2023, at 9:09, Dave Horsfall wrote:
>
>     FreeBSD aneurin.horsfall.org 10.4-RELEASE-p13 FreeBSD
>     10.4-RELEASE-p13 #0: Thu Sep 27 09:21:23 UTC 2018
>     root@amd64-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC i386
>
>     (Yeah, I'll update soon, when I find a newer box)
>
>     Seen in my daily security run output:
>
>     +block drop in quick inet from <__automatic_43ce223_0> to any [
>     Evaluations: 7333 Packets: 4 Bytes: 240 States: 0 ]
>
>     Obviously something created automatically (I don't have anything
>     faintly
>     resembling that in my pf.conf), but how?
>
>
It can also show up if you use 'self'

e.g

eg

block log quick from self to <rejects>
block log quick from <rejects> to self

and then view the rules with pfctl -sr it shows up as

block drop log quick inet from <__automatic_d351946e_2> to <rejects>
block drop log quick inet from <rejects> to <__automatic_d351946e_3>

     ---Mike


> |set ruleset-optimization none Disable the ruleset optimizer. basic 
> Enable basic ruleset optimization. This is the default behaviour. 
> Basic ruleset optimization does four things to improve the performance 
> of ruleset evaluations: 1. remove duplicate rules 2. remove rules that 
> are a subset of another rule 3. combine multiple rules into a table 
> when advantageous 4. re-order the rules to improve evaluation 
> performance profile Uses the currently loaded ruleset as a feedback 
> profile to tailor the ordering of quick rules to actual network 
> traffic. It is important to note that the ruleset optimizer will 
> modify the ruleset to improve performance. A side effect of the 
> ruleset modification is that per-rule accounting statistics will have 
> different meanings than before. If per-rule accounting is important 
> for billing purposes or whatnot, either the ruleset optimizer should 
> not be used or a label field should be added to all of the accounting 
> rules to act as optimization barriers. Optimization can also be set as 
> a command-line argument to pfctl(8), overriding the settings in pf.conf. |
>
> That’d be case 3.
>
> Kristof
>