Date: Wed, 16 May 2007 16:38:36 -0500 From: David DeSimone <fox@verio.net> To: Tom Judge <tom@tomjudge.com> Cc: freebsd-pf@freebsd.org Subject: Re: Packet Path Through PF (onec for each interface?) Message-ID: <20070516213836.GB22335@verio.net> In-Reply-To: <464B6A29.2020107@tomjudge.com> References: <464B487C.1050301@tomjudge.com> <20070516195948.GA22335@verio.net> <464B6A29.2020107@tomjudge.com>
next in thread | previous in thread | raw e-mail | index | archive | help
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Tom Judge <tom@tomjudge.com> wrote: > > According to the diagram that Greg sent a link to state is checked for > every interface. However is the state information tied to an > interface? The answer is determined by the state-policy. In your configuration you can set state-policy to "if-bound" or "group-bound" or "floating". If you choose "if-bound", the state will stick to the interface chosen at time of initial evaluation of the rule. If packets start to flow through different interfaces, they will fail to match the state, and this will require a rulebase evaluation to be performed in order to determine if traffic should continue to flow. If you choose "floating" (which is the default), state is not bound to any particular interface, and it will not matter whether the packets arrive or leave on the same interfaces; only that the packet contents match the defined state. With this setting, I believe that your rule would only be evaluated once, and as long as the state entry lasts, PF will only examine the packets as far as state, and will skip the rulebase evaluation. It will perform this state evaluation TWICE, once for ingress, again for egress. - -- David DeSimone == Network Admin == fox@verio.net "It took me fifteen years to discover that I had no talent for writing, but I couldn't give it up because by that time I was too famous. -- Robert Benchley -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFGS3ncFSrKRjX5eCoRAsjtAJ91+qND3lFpBgxw1hcBDYH0cgk6DgCgmL0V ZSTZ9yfzLoxLDW/GE97YlYA= =ZAPt -----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20070516213836.GB22335>