[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

queueing and keep state

I would like to run by you some of my attempts to grasp pf, so by all
means, please correct me if i'm wrong.
First I'd like to clarify state policy behavior.
If I use state policy floating, for a connection passing though the box a
single state is created matching on all interfaces allowing packets from A
to B and back from B to A. Correct?
If this is correct, and I do all filtering for packets leaving the lan to
the internet on the internal interface, like:
       pass in on $int_if inet from A to B keep-state
and I want to queue packets arriving for host A like this:
       pass out on $int_if inet from B to A queue kvg keep-state
The pass out rule would never match because the returning packets would
match the state entry and no rule processing would be done, right? Would
this be different if I used state policy if-bound? I assume not because
the state entry would still match on $int_if.
Using state policy if-bound I could filter the connection outbound on the
external interface  and then do queueing outbound on $int_if, but I would
still have to pass the packets in on the internal interface without keep
state. It's not much of an elegant solution, not to mention performance
How would you recommend I do this?
Secondly, for a connection passing through the box:
  - 1 state entry is created using state policy floating
  - 2 state entries are created using state policy if-bound
Are there situations where more than 2 state entries are created? (I would
assume not)
Are there any utilities to aid in debugging a ruleset like ipftest or
something similar? I know it's been asked before, but I can't find the
related messages.
If I'm not making much sense, it's because I haven't had my coffee yet.