From owner-freebsd-pf@FreeBSD.ORG Fri Apr 24 00:45:09 2015 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 9FE9323D for ; Fri, 24 Apr 2015 00:45:09 +0000 (UTC) Received: from mail-oi0-x230.google.com (mail-oi0-x230.google.com [IPv6:2607:f8b0:4003:c06::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 6786819CA for ; Fri, 24 Apr 2015 00:45:09 +0000 (UTC) Received: by oift201 with SMTP id t201so28808850oif.3 for ; Thu, 23 Apr 2015 17:45:08 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type; bh=dbjPpn9eVxVTN3hH3Hdk7V3CdOjON3YrbmG8Z6sRG18=; b=c/WbhQl9RuThuyb7gk/Imaifm1UzxWK3aBJbHftTK0j5iiDfZFDUjT20+a58sNXOGP PemfJL6eswKjLWIx+HFgFZmsPll3gDmz3Qgqk+RrC1i5rC/ZIhHymC+hr0eZiScL7Jjc 8PBKYzqfYIfOOtHtjia6KV0NU3S8noDPR/OACq20XgU7bjQgp828Am/zA8Yvx5yDY2w+ avmTnLKXFKebbKpGPskan0bnX7pHdaMD4p2ClDGpeZVjgavjfk33W8rTj70Z0uO72LXB Lr8lPQz2ExMVoVYxnD9pDBrg8GV5CxZdnyspZr/2mscKknLDz9u5yQLsaOK38vm9SuLd /w3g== MIME-Version: 1.0 X-Received: by 10.202.186.214 with SMTP id k205mr4753663oif.10.1429836308660; Thu, 23 Apr 2015 17:45:08 -0700 (PDT) Received: by 10.202.212.4 with HTTP; Thu, 23 Apr 2015 17:45:08 -0700 (PDT) Date: Fri, 24 Apr 2015 10:45:08 +1000 Message-ID: Subject: pf state tracking?? From: Olaf de Bree To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.20 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 24 Apr 2015 00:45:09 -0000 Hi all, I'm hoping someone can help me with an issue i have with pf and tos matching. I wish to assign tos marked reply packets to an altq queue but i find that when using the keep state option on a rule reply traffic is not inspected and queued correctly because pf has a state for the request. queuing should be performed out bound on the inside INT EG Client ----NO TOS----> Inside INT (PF) Outside INT ------------------------->Internet <-------------------------------TOS MARKED--------------------------------- It works correctly when using no state but i would like to keep state so i may also use dummy net pipes at patch from the pfsense project Working pass out on em0 inet from any to tos 0x60 no state label "USER_RULE: Normal Beam 501 CVC 43" queue q50143n Not working pass out on em0 inet from any to tos 0x60 keep state label "USER_RULE: Normal Beam 501 CVC 43" queue q50143n Is there any way to override PF's behaviour to inspect the reply traffic and classify it correctly Thanks in advance Olaf