On 02-09-2014 16:32, andy wrote: > Yes I wouldn't expect to be able to apply more than one tag, I'm asking > about checking for multiple matching tags? > > I.e pass out of the packet is 'tagged' with XXX or YYY or ZZZ. But that's the point. If you assign a packet with multiple tags, only the last one (or the one with the quick keyword), is the one the packet will have. You can, however, use multiple match rules and control your packet flow with multiple tags, directing the packets as they switch their tags. But you can't compare for multiple tags at once. One thing that I do before writing my pf rules is to draw the flows into a paper. That way I can plan in advance. You have another option, which I also use, that is to use a pflow(4) interface in combination with nfsen and make your OpenBSD machine act as a simple router and monitor your packets for for a week or so. That way you can effectively know how your network behave and can program your rules accordingly.
Cheers, -- Giancarlo Razzolini GPG: 4096R/77B981BC [demime 1.01d removed an attachment of type application/pkcs7-signature which had a name of smime.p7s]
