On Monday, Oct 18, 2004, at 02:38 US/Pacific, Oliver Humpage wrote:
States always match address pairs directionally. Even though "floating" is not physically tied to an interface, the packets on the external interface will be "going the wrong way" with respect to their addresses, and won't match state.
How do you mean "wrong way"? If state merely matches source and destination IPs and ports, that should stay the same whether the packet is entering or leaving the system (if there's no nat).
As I said, they match _directionally_. If you receive a packet in on $int_if, and it has a src of 10.0.0.1 and a dst of 192.168.0.1, it would be rather silly to accept another packet in on $int_if with a src of 192.168.0.1 and a dst of 10.0.0.1. The point of state is also to allow replies, so if src is known to be 10.0.0.1 when the packet is inbound, then src must logically be 192.168.0.1 when it is outbound. Since this is the original packet (not a reply), and it's going out another interface ($ext_if), src is still 10.0.0.1 and won't match.
And of course directionality must be known when NAT is involved, so the unified state table simply works the same way whether translation is being done or not.
