Hi, > On 25 Jun 2015, at 10:31, Jiri B <ji...@devio.us> wrote: > > On Thu, Jun 25, 2015 at 10:15:08AM +0100, Andy Lemin wrote: >> Surprised I've not had any replies for this? >> http://s12.postimg.org/i4pggq465/Open_BSDPFPacket_Flow.jpg >> <http://s12.postimg.org/i4pggq465/Open_BSDPFPacket_Flow.jpg> >> >> I copied this from a diagram I found some years ago which has been photocopied >> a few times and is now intelligible, so thought I'd quickly re-do it. >> >> I can't believe nothing has changed in 5 years (I think thats when the >> original I saw was dated). >> >> Anyway, I try and message Henning directly and get his thoughts, and I'll post >> back here once its got his approval. >> >> Cheers, Andy. > > IIRC pf packet flow is also influenced by routing which is done > before pf. That's why local sourced traffic for remote destination > cannot be redirected back to local host.
Could you help me understand this a little better? How do you mean traffic locally originated by the firewall cannot be redirected? I understand FIB routing is only done after ingress processing (if no "route-to" is found on an matching inbound direction route). > > If you would get more info and incorporate routing factor into diagram > it would be great ;) I know! :) It would be great if this was as complete as possible as it would be really helpful to both those just starting out and the more experienced alike. I would also like to understand the processing for virtual interfaces? I.e. should their be a separate Egress Processing chain for "enc0" Also is policy based routing (created by IPSec encX tunnels) processed before and/or independently from "rdomain" routing? I also don't know how packet Labels and Tags are processed? I've done a little more to it; http://s27.postimg.org/4ul9nayvn/Open_BSDPFPacket_Flow.jpg <http://s27.postimg.org/4ul9nayvn/Open_BSDPFPacket_Flow.jpg> > > j.
