* Andreas Mueller <[email protected]> [2010-02-22 23:57]: > Henning Brauer wrote: > > err? packets matching the state are of course queued in the queue > > specified in the rule, what else? > > Maybe I am influenced too much with linux traffic-shaping/firewalling. > And from that point, I was not concious about what pf keeps track of with > its state-engine because I did not read anything about this in the > man-pages. > I only read that no further rule-elevation at all will be done on > packets matching a state. All references on "stickyness" of attributes > in the man-page are about further rules matching a packet, not those > which allready matched a state. > Maybe it should be stated in pf.conf(5) what the state-engine keeps > track of, just to clarify. > At least that does not seem intuitive to me.
everything else would be completely weird and non-intuitive. why should subsequent packets be treated differently? that doesn't make sense. > Another inconsistency for me would be "scrub", or now "match .. scrub", > will all packets be scrubbed in a state, will they be "match"ed or just > scrubbed by the state-engine? of course all packets get the given scrub options applied. what else? > If "matched", then there would be an elevation after all. what? you're confuzzled. the old scrub was stateless, but that is absolutely irrelevant by now. -- Henning Brauer, [email protected], [email protected] BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting
