On 04/08/2008 10:41:07 AM, Daniel Hartmeier wrote:
No, pf can't do it. Not because it's technically impossible or
unreasonable, it's just not a typical use case. For most users,
routable
address space is a scarcer resource than RAM for state table entries
(they have much less external IP addresses than internal ones).
Which makes me wonder what the problem with state is in the first
place. Seems to me that just because replies might go through
a different device than the original packet does not mean that
you can't have state, it just means that you want all the
devices to have the same state. Wouldn't something like
a binat rule that does source-hash where the key is specified
always do the same translation regardless of whether the flow
has been seen before? Then you put the same binat rules
on all your devices and you're done.
Perhaps binat's source-hash is sensitive to the direction
of the initial packet. ? If so that's a problem, but a
problem that I'd guess is a lot easier to solve than
getting rid of state.
(There's also pfsync for sharing state, but I can't imagine
how you'd get rid of race conditions.)
Karl <[EMAIL PROTECTED]>
Free Software: "You don't pay back, you pay forward."
-- Robert A. Heinlein
