Adam Gensler <openbsd <at> kristenandadam.net> writes:
> local_nets = "{ 172.28.1.0/24, 172.28.10.0/24, 172.28.11.0/24 }"
> work871 = "172.28.1.3"
> pass in quick inet proto udp from $work871 tos 0xB8 tag VOIP-RTP
> pass in quick inet proto udp from $work871 tos 0x60 tag VOIP-SIG
> pass in quick inet proto { tcp, udp } from $local_nets
Another possible thing I see, is a tunnel originating side.
Since tos rules you have are unidirectional (in terms of match),
they will create state if only first packet comes from $work871.
However, first packet coming from other side will match another
rule and create state, so all subsequent tunnel's packets will
not hit tos rules.
