From owner-freebsd-pf@freebsd.org  Sun Nov 22 19:15:01 2015
Return-Path: <owner-freebsd-pf@freebsd.org>
Delivered-To: freebsd-pf@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id ED067A35808
 for <freebsd-pf@mailman.ysv.freebsd.org>; Sun, 22 Nov 2015 19:15:01 +0000 (UTC)
 (envelope-from kp@vega.codepro.be)
Received: from venus.codepro.be (venus.codepro.be [IPv6:2a01:4f8:162:1127::2])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256
 bits))
 (Client CN "*.codepro.be", Issuer "Gandi Standard SSL CA 2" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id A6509144E
 for <freebsd-pf@freebsd.org>; Sun, 22 Nov 2015 19:15:01 +0000 (UTC)
 (envelope-from kp@vega.codepro.be)
Received: from vega.codepro.be (unknown [172.16.1.3])
 by venus.codepro.be (Postfix) with ESMTP id A229A7E2E;
 Sun, 22 Nov 2015 20:14:58 +0100 (CET)
Received: by vega.codepro.be (Postfix, from userid 1001)
 id 9748D7FD3B; Sun, 22 Nov 2015 20:14:58 +0100 (CET)
Date: Sun, 22 Nov 2015 20:14:58 +0100
From: Kristof Provost <kp@FreeBSD.org>
To: =?utf-8?Q?Mi=C5=82osz?= Kaniewski <milosz.kaniewski@gmail.com>
Cc: freebsd-pf@freebsd.org
Subject: Re: Creating span interface using 'dup-to' option
Message-ID: <20151122191458.GD2307@vega.codepro.be>
References: <CAC4mxp5ar-Kvp5238VRfKEL6FiVOg7XXzmv8fE-zdEFYRk7cAw@mail.gmail.com>
 <SN1PR08MB18210835207E194932EBB485BA310@SN1PR08MB1821.namprd08.prod.outlook.com>
 <CAC4mxp77FrDvT+1J+dQqrgc_ji3vmbMZOkYnXae+D2L1PanK1g@mail.gmail.com>
 <20151108000315.GC2336@vega.codepro.be>
 <20151108192951.GD2336@vega.codepro.be>
 <CAC4mxp7B5tYErUX+h0803eQhRY2XzXCFpLP7=2ESJPQtVupczA@mail.gmail.com>
 <CAC4mxp6wvMe9EWqXYzNG=FEA2HO-kNqmdLrUjs8nHJUODTucUw@mail.gmail.com>
 <20151115173349.GE13268@vega.codepro.be>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
In-Reply-To: <20151115173349.GE13268@vega.codepro.be>
X-Checked-By-NSA: Probably
User-Agent: Mutt/1.5.24 (2015-08-30)
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
 \(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-pf>,
 <mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf/>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
 <mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 22 Nov 2015 19:15:02 -0000

On 2015-11-15 18:33:49 (+0100), Kristof Provost <kp@FreeBSD.org> wrote:
> On the other hand, perhaps there's something we can do about the state
> matching. The problems all start because we match state on the
> duplicated packet. That's not correct, because the rule is set on e.g.
> em0, but the duplicated packet is sent out on em1.
> In fact, from a first reading of the code I don't actually understand
> why we're getting that state match.
> 
I've looked at the state matching for a bit. It turns out that by
default packets will match state on any interface (specifically, the
state is saved to the 'all' interface, rather than to the specific
interface it was created on).
That default can be changed with 'set state-policy if-bound'. I'd expect
adding that would work around the problem you see.

Regards,
Kristof