Bug 232524

Summary: Bug in pf or pfctl.
Product: Base System Reporter: Dmitry <4diman>
Component: kernAssignee: freebsd-bugs (Nobody) <bugs>
Status: Closed Not A Bug    
Severity: Affects Some People CC: kp
Priority: ---    
Version: 11.2-RELEASE   
Hardware: amd64   
OS: Any   

Description Dmitry 2018-10-22 10:26:04 UTC 
pf.conf:
block in on em0 inet from 139.99.0.0/17 to any
block in on em0 inet from 162.247.74.217 to any
block in on em0 inet from 109.188.66.148 to any
block in on em0 inet from 144.217.80.80 to any
block in on em0 inet from 198.50.200.128/27 to any
#block in on em0 inet from 199.249.230.0/24 to any

without last line everything fine, but with last line
pfctl -s rules show only one strange rule:
block drop in on em0 inet from <__automatic_2f5be306_0> to any

Tested on 2 virtual machines - same result.
Comment 1 Kristof Provost freebsd_committer freebsd_triage 2018-10-22 16:05:29 UTC 
This isn't a bug. The pf rules optimiser has decided that you've got enough different addresses with the same rule that it makes sense to put it into a table.

Try 'pfctl -t __automatic_2f5be306_0 -T show' and you'll see your addresses.

If you don't like this behaviour you can add 'set ruleset-optimization none' at the top  of your pf.conf and it won't do this any more. You probably don't want to do that though, because the table form is almost certainly faster.