On Fri, Jul 18, 2003 at 01:39:09AM +0200, Claudio Jeker wrote: > I have multiple rules of the form: > > pass in on fxp1 from any to <table_a> keep state queue a > pass in on fxp1 from any to <table_b> keep state queue b > pass in on fxp1 from any to <table_c> keep state queue c > pass in on fxp1 from any to <table_d> keep state queue d
> after some debugging with pfctl -g -vv -s r it seams that the frist rule > skips all others. Can you please provide pfctl -gvvsr output (put it on a web page or mail me privately, if it's too large to post). If the destination address is the only mismatching parameter in the first rule, that shouldn't cause the subsequent rules to get skipped (that would be a bug, as the tables may be different). But the evaluation counters can be ambiguous. For instance, if the first rule above comes after a rule specifying a different interface, then the mismatching parameter is 'on fxp1', and the subsequent rules will be skipped for packets on other interfaces. So, you're saying that the first rule is getting evaluated, but mismatches. But the packets would actually match one of the subsequent rules (due to a different destination address, not found in table_a but in table_c, for instance), but don't, as those rules are skipped? If you re-order the above rules, packets match? Daniel
