From owner-freebsd-questions@FreeBSD.ORG Fri Jul 16 20:35:54 2010 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id BB18E1065673 for ; Fri, 16 Jul 2010 20:35:54 +0000 (UTC) (envelope-from lobo@bsd.com.br) Received: from mail-gy0-f182.google.com (mail-gy0-f182.google.com [209.85.160.182]) by mx1.freebsd.org (Postfix) with ESMTP id 84EF88FC16 for ; Fri, 16 Jul 2010 20:35:54 +0000 (UTC) Received: by gyd8 with SMTP id 8so1857652gyd.13 for ; Fri, 16 Jul 2010 13:35:54 -0700 (PDT) Received: by 10.100.226.7 with SMTP id y7mr1883022ang.230.1279312553838; Fri, 16 Jul 2010 13:35:53 -0700 (PDT) Received: from papi.localnet ([189.70.227.74]) by mx.google.com with ESMTPS id r7sm29225726anb.35.2010.07.16.13.35.51 (version=TLSv1/SSLv3 cipher=RC4-MD5); Fri, 16 Jul 2010 13:35:52 -0700 (PDT) To: "freebsd-questions" From: Mario Lobo Date: Fri, 16 Jul 2010 17:35:23 +0000 MIME-Version: 1.0 Content-Type: Text/Plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Message-Id: <201007161735.23839.lobo@bsd.com.br> Subject: pf behavior question (addendum) X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 16 Jul 2010 20:35:54 -0000 Sorry. Forgot to ask: Will the packet be actually tagged on the first rule, even though rule parsing continues? will it reach the last rule already tagged? Thanks again. Hi; System: 8.1-PRERELEASE FreeBSD 8.1-PRERELEASE #1: Fri Jun 11 09:41:37 BRT 2010 i386 The question is about how pf acts on an specific situation. Supose I have the following rules: pass in log inet proto tcp from $int_if to any port 8021 flags S/SA keep state tag test rule 2 .... rule 3 ..... . rule n .... pass in log quick on $int_if inet proto tcp tagged test keep state queue (ftp) Suppose the packet matches the first rule. According to what I red about pf, it will keep parsing the rules (no "quick" on the first rule). When it reaches the last rule, the tag will match and the packet will pass. I don't believe I'll have 2 state table entries for the same packet after the last rule matches. or will I? What is the proper way to use the tag created on the first rule, as far as the state table is concerned? Thanks, -- Mario Lobo http://www.mallavoodoo.com.br FreeBSD since 2.2.8 [not Pro-Audio.... YET!!] (99% winfoes FREE) -- Mario Lobo http://www.mallavoodoo.com.br FreeBSD since 2.2.8 [not Pro-Audio.... YET!!] (99% winfoes FREE)