On Thu, Dec 14, 2006 at 09:44:51AM +0100, Axel Rau wrote: > It's not that easy. In my case, I have enough display width. > In my current display, following lines are marked with "*" in the > RULE column: > all carp entries > 1 long running tcp connection (21:44h) (remote host no longer > reachable) > all local spamd connections
Compare with pfctl -vss output. If pfctl omits the "rule x" part on the third line (which begins with "age"), that means the rule that created the state is no longer present in the ruleset. This happens for instance when you load a first ruleset, a rule from there creates a state entry, then you reload a second ruleset (which may be similar or even equal to the first one, but that doesn't matter, pf doesn't map old rule numbers to new ones), while the state entry still persists. It's even possible to create a state entry without matching a filter rule at all (I think using "rdr/nat pass ..." will do that), in which case the state entry is associated with the so-called "default pass rule", which has rule number -1. pfctl -vss will omit the "rule x" part if the number is -1. pftop always tries to render the number as an unsigned integer, hence -1 will become a very large positive number, which probably still doesn't fit your console width, and gets rendered as "*". If you insist that there be no state entries present referring to no-longer-existant rules, you'll have to flush the state table whenever you reload the ruleset. Your choice ;) Daniel
