pf usage

[RW]

On Wed, 26 Feb 2020 02:55:15 -0800
Doug Hardie wrote:

> I just learned something quite unexpected about pf.  Some time ago,
> the rules had to include "state" to have pf track state.  However,
> later pf was changed to always assume "state" thus reducing the
> typing of the rules.  The description of that change made me believe
> that the change was in pf.  On one of my systems with two NICs and
> two different internet providers, I was using pftop to track usage.
> The only states I saw were for just one network.  The other one never
> showed any states, but the packets were delivered properly.
> 
> I discovered that pf has to have a rule for each interface.  I used
> "pass all" for the interface that needed no other rules.  The change
> apparently was made to pfctl not pf.  So the one interface had no
> rules, and hence there was nothing to tell pf to track state.

If your concern is to do with efficiency, there may an optimization
there. It's possible that pfctl sets a flag on interfaces that aren't
affected by the rule set, so that traffic can pass with low overheads
and without creating unnecessary state entries.

I've no idea whether this is correct, it's just speculation. But if it
is then forcing state entries would be counterproductive.