Interface groups: dynamic expansion for an interface foo0, used in a rule like "pass to (foo0)", pf creates a table called by the interface within the _pf anchor $ echo "pass to (wi0)" | sudo pfctl -f - $ sudo pfctl -a _pf -t wi0 -T show 172.16.43.1 fe80::202:6fff:fe37:fc66 create a table named by the group, again inside _pf, and put all member interface's addresses in them on changes, the addresses need to be updated in the interface _and_ all group tables additional gotcha: interfaces can leave and join groups any time, that needs handling too