On 5/9/06, Ryan McBride <[EMAIL PROTECTED]> wrote:
Actually, preliminary code to match states to the correct rule is in 3.9: /* * If the ruleset checksums match, it's safe to associate the state * with the rule of that number. */ if (sp->rule != htonl(-1) && sp->anchor == htonl(-1) && chksum_flag) r = pf_main_ruleset.rules[ PF_RULESET_FILTER].active.ptr_array[ntohl(sp->rule)]; else r = &pf_default_rule; If the rulesets are "identical", states created by rules in the main ruleset are associated with the correct rule on the recieving firewall. This means that things like state limits, tcp timeouts, and queues will work correctly. You can check the ruleset checksum with pfctl -vsi, to make sure that the rulesets will support this function. Note that it doesn't work for anchor rulesets, and we're still not matching states to the correct NAT rule. Hopefully I'll get a chance to fix some of this stuff before the next release, possibly at the hackathon.
Thanks for the insight Ryan! I'm going to take a look at that and look at the code too to see what I can make of it then get back to the list with my findings. (= -- Hisham Mardam Bey MSc (Computer Science) http://hisham.cc/ +9613609386 Codito Ergo Sum (I Code Therefore I Am)