Henning Brauer wrote: > err? packets matching the state are of course queued in the queue > specified in the rule, what else?
Maybe I am influenced too much with linux traffic-shaping/firewalling. And from that point, I was not concious about what pf keeps track of with its state-engine because I did not read anything about this in the man-pages. I only read that no further rule-elevation at all will be done on packets matching a state. All references on "stickyness" of attributes in the man-page are about further rules matching a packet, not those which allready matched a state. Maybe it should be stated in pf.conf(5) what the state-engine keeps track of, just to clarify. At least that does not seem intuitive to me. Another inconsistency for me would be "scrub", or now "match .. scrub", will all packets be scrubbed in a state, will they be "match"ed or just scrubbed by the state-engine? If "matched", then there would be an elevation after all. Sorry for misusing this thread for that but with the first post of the OP it seemed the right place. Bye and thanks in advance, Andreas Mueller.
