From owner-freebsd-pf@freebsd.org Sun Nov 22 19:15:01 2015 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id ED067A35808 for ; Sun, 22 Nov 2015 19:15:01 +0000 (UTC) (envelope-from kp@vega.codepro.be) Received: from venus.codepro.be (venus.codepro.be [IPv6:2a01:4f8:162:1127::2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "*.codepro.be", Issuer "Gandi Standard SSL CA 2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id A6509144E for ; Sun, 22 Nov 2015 19:15:01 +0000 (UTC) (envelope-from kp@vega.codepro.be) Received: from vega.codepro.be (unknown [172.16.1.3]) by venus.codepro.be (Postfix) with ESMTP id A229A7E2E; Sun, 22 Nov 2015 20:14:58 +0100 (CET) Received: by vega.codepro.be (Postfix, from userid 1001) id 9748D7FD3B; Sun, 22 Nov 2015 20:14:58 +0100 (CET) Date: Sun, 22 Nov 2015 20:14:58 +0100 From: Kristof Provost To: =?utf-8?Q?Mi=C5=82osz?= Kaniewski Cc: freebsd-pf@freebsd.org Subject: Re: Creating span interface using 'dup-to' option Message-ID: <20151122191458.GD2307@vega.codepro.be> References: <20151108000315.GC2336@vega.codepro.be> <20151108192951.GD2336@vega.codepro.be> <20151115173349.GE13268@vega.codepro.be> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: <20151115173349.GE13268@vega.codepro.be> X-Checked-By-NSA: Probably User-Agent: Mutt/1.5.24 (2015-08-30) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 22 Nov 2015 19:15:02 -0000 On 2015-11-15 18:33:49 (+0100), Kristof Provost wrote: > On the other hand, perhaps there's something we can do about the state > matching. The problems all start because we match state on the > duplicated packet. That's not correct, because the rule is set on e.g. > em0, but the duplicated packet is sent out on em1. > In fact, from a first reading of the code I don't actually understand > why we're getting that state match. > I've looked at the state matching for a bit. It turns out that by default packets will match state on any interface (specifically, the state is saved to the 'all' interface, rather than to the specific interface it was created on). That default can be changed with 'set state-policy if-bound'. I'd expect adding that would work around the problem you see. Regards, Kristof