pf behavior question

Matthew Seaman m.seaman at
Fri Jul 16 20:58:50 UTC 2010

On 16/07/2010 18:22:04, Mario Lobo wrote:
> Hi;
> System: 8.1-PRERELEASE FreeBSD 8.1-PRERELEASE #1: Fri Jun 11 09:41:37 BRT 2010 
> i386
> The question is about how pf acts on an specific situation.
> Supose I have the following rules:
> pass in log inet proto tcp from $int_if to any port 8021  
> flags S/SA keep state tag test
> rule 2 ....
> rule 3 .....
> .
> rule n ....
> pass in log quick on $int_if inet proto tcp tagged test keep state queue (ftp)
> Suppose the packet matches the first rule.
> According to what I red about pf, it will keep parsing the rules (no "quick" 
> on the first rule). When it reaches the last rule, the tag will match and the 
> packet will pass.
> I don't believe I'll have 2 state table entries for the same packet after the 
> last rule matches. or will I? 
> What is the proper way to use the tag created on the first rule, as far as the   
> state table is concerned?

Correct, essentially.

No, you won't end up with two entries in the state table from this --
it's only the last matching rule that causes the state table to be
modified.  In fact, you simply can't have two state table entries for
the same (i/f, proto, srcaddr, srcport, destaddr, destport) tuple,
because those six quantities are together used as the index into the
state table.  (Note: i/f is usually 'all' unless you've 'set
state-policy if-bound' or equivalent, so generating state on one
interface allows a packet to pass on any interface.)

You don't get much from using tagging in the case you show -- as you've
only got one rule to apply tags you might as well have let that been the
place where you decided to pass or block the packet.  Tagging is a lot
more useful where you need several different rules to identify a
particular class of traffic: you can apply the tag from several
different matching rules, and then have just one rule to express your
policy for that class of traffic.  See the example in which gives a pretty good
idea how it all works.



Dr Matthew J Seaman MA, D.Phil.                   7 Priory Courtyard
                                                  Flat 3
PGP:     Ramsgate
JID: matthew at               Kent, CT11 9PW

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 267 bytes
Desc: OpenPGP digital signature
Url :

More information about the freebsd-questions mailing list