state-policy floating not honored ?

2006-11-09 Thread Pierre-Yves Ritschard 
Hi pf@,

I might be getting rusty but I'm having a problem with a really simple
ruleset on a really recent -current OpenBSD

The firewall has two carped interfaces and is running pfsync.
The ruleset goes like this:

ext=trunk0
set state-policy floating

table mailservers const { ... }
set skip on { lo0 }
blog log all

pass in quick on $ext from any to mailservers port smtp

well this doesn't work and I see the rule 0 (block) being matched in
pflog's output.
If I modify the ruleset to look like this:

pass in quick on $ext from any to mailservers port smtp tag OK
pass out tagged OK

It works as expected but this looks like a 'state-policy ifbound'
behavior right ?

Re: state-policy floating not honored ?

2006-11-09 Thread Pierre-Yves Ritschard 
* Pierre-Yves Ritschard ([EMAIL PROTECTED]) wrote:
 Hi pf@,
 
 I might be getting rusty but I'm having a problem with a really simple
 ruleset on a really recent -current OpenBSD
 
 The firewall has two carped interfaces and is running pfsync.
 The ruleset goes like this:
 
 ext=trunk0
 set state-policy floating
 
 table mailservers const { ... }
 set skip on { lo0 }
 blog log all
 
 pass in quick on $ext from any to mailservers port smtp
 
 well this doesn't work and I see the rule 0 (block) being matched in
 pflog's output.
 If I modify the ruleset to look like this:
 
 pass in quick on $ext from any to mailservers port smtp tag OK
 pass out tagged OK
 
 It works as expected but this looks like a 'state-policy ifbound'
 behavior right ?

I tested this with latest (11/7) current available on my mirror and
the behavior is the same.

Re: state-policy floating not honored ?

2006-11-09 Thread Daniel Hartmeier 
On Thu, Nov 09, 2006 at 03:11:55PM +0100, Pierre-Yves Ritschard wrote:

  It works as expected but this looks like a 'state-policy ifbound'
  behavior right ?
 
 I tested this with latest (11/7) current available on my mirror and
 the behavior is the same.

You're probably misreading what 'floating' means. See

  http://marc.theaimsgroup.com/?l=openbsd-pfm=114372425614238w=2

i.e. a floating state does not allow packets on arbitrary interfaces in
arbitrary directions, it merely allows one direction on arbitrary
interfaces (when routing changes). You still need two states if you
filter both directions.

Daniel

Re: state-policy floating not honored ?

2006-11-09 Thread Pierre-Yves Ritschard 
* Daniel Hartmeier ([EMAIL PROTECTED]) wrote:
 On Thu, Nov 09, 2006 at 03:11:55PM +0100, Pierre-Yves Ritschard wrote:
 
   It works as expected but this looks like a 'state-policy ifbound'
   behavior right ?
  
  I tested this with latest (11/7) current available on my mirror and
  the behavior is the same.
 
 You're probably misreading what 'floating' means. See
 
   http://marc.theaimsgroup.com/?l=openbsd-pfm=114372425614238w=2
 
I was indeed, thanks