On 04/08/2008 10:41:07 AM, Daniel Hartmeier wrote:
No, pf can't do it. Not because it's technically impossible or unreasonable, it's just not a typical use case. For most users, routable address space is a scarcer resource than RAM for state table entries (they have much less external IP addresses than internal ones).
Which makes me wonder what the problem with state is in the first place. Seems to me that just because replies might go through a different device than the original packet does not mean that you can't have state, it just means that you want all the devices to have the same state. Wouldn't something like a binat rule that does source-hash where the key is specified always do the same translation regardless of whether the flow has been seen before? Then you put the same binat rules on all your devices and you're done. Perhaps binat's source-hash is sensitive to the direction of the initial packet. ? If so that's a problem, but a problem that I'd guess is a lot easier to solve than getting rid of state. (There's also pfsync for sharing state, but I can't imagine how you'd get rid of race conditions.) Karl <[EMAIL PROTECTED]> Free Software: "You don't pay back, you pay forward." -- Robert A. Heinlein