> On Mon, Jan 31, 2011 at 04:28:28PM -0800, patrick keshishian wrote: > > > > Also consider explaining what defines a state (protocol, family, > > src/dst addr/port, rdomain). > >
note that there is a stateful filtering section that documents this stuff in more detail. > > Then continue fresh: > > > > The packet filter examines each packet to see if > > it matches any existing state; allowing it to pass > > if such a match is found without evaluation of any > > rules. > > i just committed a fix, which i'll inline here. i borrowed your wording for part of it (thanks!). jmc Index: pf.conf.5 =================================================================== RCS file: /cvs/src/share/man/man5/pf.conf.5,v retrieving revision 1.488 diff -u -r1.488 pf.conf.5 --- pf.conf.5 23 Jan 2011 23:34:18 -0000 1.488 +++ pf.conf.5 1 Feb 2011 17:27:17 -0000 @@ -126,8 +126,8 @@ filters packets statefully: the first time a packet matches a .Ar pass -rule, a state entry is created; for subsequent packets the filter checks -whether the packet matches any state. +rule, a state entry is created. +The packet filter examines each packet to see if it matches an existing state. If it does, the packet is passed without evaluation of any rules. After the connection is closed or times out, the state entry is automatically removed. @@ -1919,6 +1919,12 @@ .Ar no state keyword can be used to specify that state will not be created if this is the last matching rule. +Note that packets which match neither block nor pass rules, +and thus are passed by default, +are effectively passed as if +.Ar no state +had been specified. +.Pp A number of parameters can also be set to affect how .Xr pf 4 handles state tracking,
