From owner-freebsd-questions@freebsd.org Thu Feb 27 22:15:20 2020 Return-Path: Delivered-To: freebsd-questions@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 642EE2511EB for ; Thu, 27 Feb 2020 22:15:20 +0000 (UTC) (envelope-from rwmaillists@googlemail.com) Received: from mail-wr1-x429.google.com (mail-wr1-x429.google.com [IPv6:2a00:1450:4864:20::429]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 48T6Rn3qXGz4DcK for ; Thu, 27 Feb 2020 22:15:17 +0000 (UTC) (envelope-from rwmaillists@googlemail.com) Received: by mail-wr1-x429.google.com with SMTP id l5so730049wrx.4 for ; Thu, 27 Feb 2020 14:15:17 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:subject:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=wxGO3lImkXvFpgQ3SmCGKUcJSjKHRV24jt7C0O4IhsU=; b=trzo3iIhAk+ShW2yGt0r9ogXV78Hb/GBcZC5DSo4p4xOX3fwtTcr1aCRamgpTEcCJB 5mvRJRGirRxleH47uNibj8m0ca1gYfTzXGw0asaRXE/9CUf3kKZBCzGrl4dukU+d8DYM 5sfH9JlB7+/sPsLZ6D9G/CazUh8R0sXq0EaAaPQj+mRnImZGAnuDp5sRlp3txUDLzzWV kLHT3kTGM10yK4sFxdQR1e5DC9HOPfKzXsV7e9slCBlPMKevxG3iWiukyRfBUDfVcC2L k8Kn1jnckpPNXCbA3f3VYpGrSV4ppTbtlsGQ6pUtNl0qMmyV0pQfIkSBx2pTg+w/q9O0 RvJQ== X-Gm-Message-State: APjAAAWrbPXn5/XMtA9sxP+ysdaU0VavwXXHYZCaM/q+t9SJJmrzZGJ5 eLwS0pW1Go6v7CfXOsouPPZs8rly X-Google-Smtp-Source: APXvYqyGyX/DHL+ujFK5R2Q1Nx5fgJ1KCxouBYTOtwFSHMp1gsSdltMCNjRchPHRpAGov8xZd1KUBA== X-Received: by 2002:adf:e949:: with SMTP id m9mr1050446wrn.342.1582841714324; Thu, 27 Feb 2020 14:15:14 -0800 (PST) Received: from gumby.homeunix.com ([2.221.19.106]) by smtp.gmail.com with ESMTPSA id z14sm9621700wru.31.2020.02.27.14.15.12 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 27 Feb 2020 14:15:13 -0800 (PST) Date: Thu, 27 Feb 2020 22:15:11 +0000 From: RW To: freebsd-questions@freebsd.org Subject: Re: pf usage Message-ID: <20200227221511.641d9d91@gumby.homeunix.com> In-Reply-To: References: X-Mailer: Claws Mail 3.17.4 (GTK+ 2.24.32; amd64-portbld-freebsd12.0) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-Rspamd-Queue-Id: 48T6Rn3qXGz4DcK X-Spamd-Bar: -- X-Spamd-Result: default: False [-3.00 / 15.00]; RCVD_VIA_SMTP_AUTH(0.00)[]; R_SPF_ALLOW(-0.20)[+ip6:2a00:1450:4000::/36]; FREEMAIL_FROM(0.00)[googlemail.com]; TO_DN_NONE(0.00)[]; RCVD_COUNT_THREE(0.00)[3]; DKIM_TRACE(0.00)[googlemail.com:+]; DMARC_POLICY_ALLOW(-0.50)[googlemail.com,quarantine]; RECEIVED_SPAMHAUS_PBL(0.00)[106.19.221.2.khpj7ygk5idzvmvt5x4ziurxhy.zen.dq.spamhaus.net : 127.0.0.10]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; FREEMAIL_ENVFROM(0.00)[googlemail.com]; ASN(0.00)[asn:15169, ipnet:2a00:1450::/32, country:US]; DWL_DNSWL_NONE(0.00)[googlemail.com.dwl.dnswl.org : 127.0.5.0]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; R_DKIM_ALLOW(-0.20)[googlemail.com:s=20161025]; FROM_HAS_DN(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; MIME_GOOD(-0.10)[text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-questions@freebsd.org]; IP_SCORE_FREEMAIL(0.00)[]; RCPT_COUNT_ONE(0.00)[1]; IP_SCORE(0.00)[ip: (-9.38), ipnet: 2a00:1450::/32(-2.41), asn: 15169(-1.67), country: US(-0.05)]; RCVD_IN_DNSWL_NONE(0.00)[9.2.4.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.0.4.6.8.4.0.5.4.1.0.0.a.2.list.dnswl.org : 127.0.5.0]; RCVD_TLS_ALL(0.00)[] X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 27 Feb 2020 22:15:20 -0000 On Wed, 26 Feb 2020 02:55:15 -0800 Doug Hardie wrote: > I just learned something quite unexpected about pf. Some time ago, > the rules had to include "state" to have pf track state. However, > later pf was changed to always assume "state" thus reducing the > typing of the rules. The description of that change made me believe > that the change was in pf. On one of my systems with two NICs and > two different internet providers, I was using pftop to track usage. > The only states I saw were for just one network. The other one never > showed any states, but the packets were delivered properly. > > I discovered that pf has to have a rule for each interface. I used > "pass all" for the interface that needed no other rules. The change > apparently was made to pfctl not pf. So the one interface had no > rules, and hence there was nothing to tell pf to track state. If your concern is to do with efficiency, there may an optimization there. It's possible that pfctl sets a flag on interfaces that aren't affected by the rule set, so that traffic can pass with low overheads and without creating unnecessary state entries. I've no idea whether this is correct, it's just speculation. But if it is then forcing state entries would be counterproductive.