On Fri, Jan 22, 2021 at 06:07:59PM +1000, David Gwynne wrote: > --- sys/conf/GENERIC 30 Sep 2020 14:51:17 -0000 1.273 > +++ sys/conf/GENERIC 22 Jan 2021 07:33:30 -0000 > @@ -82,6 +82,7 @@ pseudo-device msts 1 # MSTS line discipl > pseudo-device endrun 1 # EndRun line discipline > pseudo-device vnd 4 # vnode disk devices > pseudo-device ksyms 1 # kernel symbols device > +pseudo-device kstat > #pseudo-device dt # Dynamic Tracer > > # clonable devices
This is an unrelated chunk. > +pf_route(struct pf_pdesc *pd, struct pf_state *s) ... > + if (pd->dir == PF_IN) { > if (pf_test(AF_INET, PF_OUT, ifp, &m0) != PF_PASS) Yes, this is the correct logic. When the packet comes in, pf overrides forwarding, tests the out rules, and sends it. For outgoing packets on out route-to rules we have already tested the rules. It also works for reply-to the other way around. But what about dup-to? The packet is duplicated for both directions. I guess the main use case for dup-to is implementing a monitor port. There you have to pass packets stateless, otherwise it would not work anyway. The strange semantics is not related to this diff. We are reaching a state where this diff can go in. I just startet a regress run with it. OK bluhm@