pf behavior question

Matthew Seaman m.seaman at infracaninophile.co.uk
Fri Jul 16 20:58:50 UTC 2010 

On 16/07/2010 18:22:04, Mario Lobo wrote:
> Hi;
> 
> System: 8.1-PRERELEASE FreeBSD 8.1-PRERELEASE #1: Fri Jun 11 09:41:37 BRT 2010 
> i386
> 
> The question is about how pf acts on an specific situation.
> 
> Supose I have the following rules:
> 
> 
> pass in log inet proto tcp from $int_if to any port 8021  
> flags S/SA keep state tag test
> 
> rule 2 ....
> rule 3 .....
> .
> rule n ....
> 
> pass in log quick on $int_if inet proto tcp tagged test keep state queue (ftp)
> 
> 
> Suppose the packet matches the first rule.
> 
> According to what I red about pf, it will keep parsing the rules (no "quick" 
> on the first rule). When it reaches the last rule, the tag will match and the 
> packet will pass.
> 
> I don't believe I'll have 2 state table entries for the same packet after the 
> last rule matches. or will I? 
> 
> What is the proper way to use the tag created on the first rule, as far as the   
> state table is concerned?


Correct, essentially.

No, you won't end up with two entries in the state table from this --
it's only the last matching rule that causes the state table to be
modified.  In fact, you simply can't have two state table entries for
the same (i/f, proto, srcaddr, srcport, destaddr, destport) tuple,
because those six quantities are together used as the index into the
state table.  (Note: i/f is usually 'all' unless you've 'set
state-policy if-bound' or equivalent, so generating state on one
interface allows a packet to pass on any interface.)

You don't get much from using tagging in the case you show -- as you've
only got one rule to apply tags you might as well have let that been the
place where you decided to pass or block the packet.  Tagging is a lot
more useful where you need several different rules to identify a
particular class of traffic: you can apply the tag from several
different matching rules, and then have just one rule to express your
policy for that class of traffic.  See the example in
http://www.openbsd.org/faq/pf/tagging.html which gives a pretty good
idea how it all works.

	Cheers,

	Matthew

-- 
Dr Matthew J Seaman MA, D.Phil.                   7 Priory Courtyard
                                                  Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey     Ramsgate
JID: matthew at infracaninophile.co.uk               Kent, CT11 9PW

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 267 bytes
Desc: OpenPGP digital signature
Url : http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20100716/35350ad6/signature.pgp

More information about the freebsd-questions mailing list