On 5/9/06, Ryan McBride <[EMAIL PROTECTED]> wrote:
Actually, preliminary code to match states to the correct rule is in
3.9:
/*
* If the ruleset checksums match, it's safe to associate the state
* with the rule of that number.
*/
if (sp->rule != htonl(-1) && sp->anchor == htonl(-1) && chksum_flag)
r = pf_main_ruleset.rules[
PF_RULESET_FILTER].active.ptr_array[ntohl(sp->rule)];
else
r = &pf_default_rule;
If the rulesets are "identical", states created by rules in the
main ruleset are associated with the correct rule on the recieving
firewall. This means that things like state limits, tcp timeouts, and
queues will work correctly.
You can check the ruleset checksum with pfctl -vsi, to make sure that
the rulesets will support this function.
Note that it doesn't work for anchor rulesets, and we're still not
matching states to the correct NAT rule. Hopefully I'll get a chance to
fix some of this stuff before the next release, possibly at the
hackathon.
Thanks for the insight Ryan! I'm going to take a look at that and look
at the code too to see what I can make of it then get back to the list
with my findings. (=
--
Hisham Mardam Bey
MSc (Computer Science)
http://hisham.cc/
+9613609386
Codito Ergo Sum (I Code Therefore I Am)
