On Mon, Jan 31, 2011 at 11:28:13AM +0100, Henning Brauer wrote:
>
> then i change my mind and we should add a note that the default pass
> behaviour (NOT rule, even tho there kinda is a default rule
> internally...) doesn't lead to state creation.
>
it's not going to be easy deciding where to insert this text, but we can
have a go. but first, i have questions ;(
firstly, what is the reason for the "no state" of packets passed by
default (i.e. without matching a rule)? we do say:
By default pf(4) filters packets statefully...
but it does not then, for these (default ;( packets.
secondly i;m not sure i like our explanation of state:
By default pf(4) filters packets statefully: the first time
a packet matches a pass rule, a state entry is created; for
subsequent packets the filter checks whether the packet
matches any state.
that "any state" text at the end is horribly ambiguous. should that say
"any state entry"? and what does a state entry look like?
jmc
