Hi,
But my immediate (and only -- please do NOT start a bikeshed on ruleset design!) question is:Is there a practical limit on the number of states pf can handle?
I used OpenBSD 7.1 PF during stateful NAT64 benchmarking measurements from 400,000 to 40,000,000 states. (Of course, its connection setup and packet forwarding performance degraded with the number of states, but the degradation was not very drastic.)
If you are interested, you can find the results in Tables 18 - 20 of this (open access) paper: https://doi.org/10.1016/j.comcom.2023.08.009
Best regards, Gábor
