On Fri, Mar 14, 2003 at 01:28:02PM -0500, ben fleis wrote: > udp 127.0.0.1:30551 -> 127.0.0.1:53 MULTIPLE:SINGLE > udp 127.0.0.1:53 -> 127.0.0.1:30551 SINGLE:NO TRAFFIC > > since udp itself is stateless, each half of the connection ought to simply > be held on a timer, nothing else. and each half of pf's state table ought > to mirror its reflexive twin, in all aspects, or so i would believe. can u > recast the explanation to udp? thanks :)
One possible explanation is an asymmetric ruleset like pass in on lo0 keep state pass out on lo0 The same packet goes through lo0 in both directions, and since the direction is part of the state entry key, two states are created. But in one direction, the first packet (assuming a simple DNS query and reply) does not create state yet, but state is created on the reply. Hence, only one of the two packets matched this state entry. But it's kind of a moot point, filtering on lo0 doesn't make sense in general. I have yet to see a useful application, at least. Daniel
