On Tue, Aug 05, 2003 at 11:16:25AM +0300, Alexey E. Suslikov wrote: > there is no any mention about "direction" property in the state entry: > "... If a packet matches a pass ... keep state rule, the filter creates a state > for this connection and automatically lets pass all subsequent packets of that > connection...".
Yes, that's a deficiency of the documentation, then. But realize that most people (including me) usually create state only on the external interface and pass traffic on the internal interface(s) unfiltered. This reduces complexity and in such setups, the documentation is correct, allthough it doesn't tell the whole story. Creating two states with the purpose of using the second state for something useful (like queueing, or additional translations or or redirections, etc.) is a somewhat advanced use. Ideally, the man page would achieve to tell the whole story without immediately confusing those that only want the simple use, maybe explaining the state matching including direction in a separate section. > > note that this does not cover the very same packet leaving through $ext > > > 10.1.1.1 -> 10.2.2.2 outgoing on $ext > > ALL SUBSEQUENT PACKETS. is "10.1.1.1 -> 10.2.2.2 outgoing on $ext" not a > subsequent packet of the already keepstated connection? why this is "neither > a) nor b)"? See above. The packet will not match the first state, you can easily verify with a test ruleset. The reason the example rulesets (that create only one state) do work is that there's a 'pass quick on $int' rule in all of them, and this rule is relevant. There's one other way to explain states: imagine each state only matches packets passing the interface the state entry was created for. That model explains how you can have two state entries on the internal and external interfaces, and why the direction would matter. But it's not entirely true, either, as state entries are not really bound to an interface (only to the direction). Not yet, at least, as it would have some advantages making it worth changing. And the fully correct and complete direction-model is the most confusing to explain in documentation. I think older revisions of the man page actually did explain it, but people have removed bothersome sections from the man page over time (you can use cvsweb to investigate, if you care). But I can assure you, if the man page contradicts what I wrote in this discussion, I am right. Which means you actually can create two states and queue outgoing packets of one connection on both interfaces individually. If you have doubts, try it. You're welcome to send pf.conf(5) patches, BTW :) Daniel
