On 2015-11-15 18:33:49 (+0100), Kristof Provost <[email protected]> wrote: > On the other hand, perhaps there's something we can do about the state > matching. The problems all start because we match state on the > duplicated packet. That's not correct, because the rule is set on e.g. > em0, but the duplicated packet is sent out on em1. > In fact, from a first reading of the code I don't actually understand > why we're getting that state match. > I've looked at the state matching for a bit. It turns out that by default packets will match state on any interface (specifically, the state is saved to the 'all' interface, rather than to the specific interface it was created on). That default can be changed with 'set state-policy if-bound'. I'd expect adding that would work around the problem you see.
Regards, Kristof _______________________________________________ [email protected] mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "[email protected]"
