pf behavior question (addendum)
Sorry. Forgot to ask: Will the packet be actually tagged on the first rule, even though rule parsing continues? will it reach the last rule already tagged? Thanks again. Hi; System: 8.1-PRERELEASE FreeBSD 8.1-PRERELEASE #1: Fri Jun 11 09:41:37 BRT 2010 i386 The question is about how pf acts on an specific situation. Supose I have the following rules: pass in log inet proto tcp from $int_if to any port 8021 flags S/SA keep state tag test rule 2 rule 3 . . rule n pass in log quick on $int_if inet proto tcp tagged test keep state queue (ftp) Suppose the packet matches the first rule. According to what I red about pf, it will keep parsing the rules (no quick on the first rule). When it reaches the last rule, the tag will match and the packet will pass. I don't believe I'll have 2 state table entries for the same packet after the last rule matches. or will I? What is the proper way to use the tag created on the first rule, as far as the state table is concerned? Thanks, -- Mario Lobo http://www.mallavoodoo.com.br FreeBSD since 2.2.8 [not Pro-Audio YET!!] (99% winfoes FREE) ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
pf behavior question (addendum)
Sorry. Forgot to ask: Will the packet be actually tagged on the first rule, even though rule parsing continues? will it reach the last rule already tagged? Thanks again. Hi; System: 8.1-PRERELEASE FreeBSD 8.1-PRERELEASE #1: Fri Jun 11 09:41:37 BRT 2010 i386 The question is about how pf acts on an specific situation. Supose I have the following rules: pass in log inet proto tcp from $int_if to any port 8021 flags S/SA keep state tag test rule 2 rule 3 . . rule n pass in log quick on $int_if inet proto tcp tagged test keep state queue (ftp) Suppose the packet matches the first rule. According to what I red about pf, it will keep parsing the rules (no quick on the first rule). When it reaches the last rule, the tag will match and the packet will pass. I don't believe I'll have 2 state table entries for the same packet after the last rule matches. or will I? What is the proper way to use the tag created on the first rule, as far as the state table is concerned? Thanks, -- Mario Lobo http://www.mallavoodoo.com.br FreeBSD since 2.2.8 [not Pro-Audio YET!!] (99% winfoes FREE) -- Mario Lobo http://www.mallavoodoo.com.br FreeBSD since 2.2.8 [not Pro-Audio YET!!] (99% winfoes FREE) ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
