From nobody Tue Mar 05 09:29:04 2024 X-Original-To: freebsd-pf@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4TpqyM0wYvz5CGr8 for ; Tue, 5 Mar 2024 09:29:15 +0000 (UTC) (envelope-from SRS0=U52X=KL=quip.cz=000.fbsd@elsa.codelab.cz) Received: from elsa.codelab.cz (elsa.codelab.cz [94.124.105.4]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4TpqyL2JX2z4R9M for ; Tue, 5 Mar 2024 09:29:14 +0000 (UTC) (envelope-from SRS0=U52X=KL=quip.cz=000.fbsd@elsa.codelab.cz) Authentication-Results: mx1.freebsd.org; none Received: from elsa.codelab.cz (localhost [127.0.0.1]) by elsa.codelab.cz (Postfix) with ESMTP id E816AD78B9; Tue, 5 Mar 2024 10:29:05 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=quip.cz; s=private; t=1709630945; bh=x7OcWcR2vPLIAtvhhU/DhEfMXuKecotTbGp2P0Uagsk=; h=Date:Subject:To:References:From:In-Reply-To; b=4SqMaIrTvAoWwJemxjB3VC/kkycacNIYbCOz9Bcx4RChG1aWhZ92UOO455fwlQNSF mqPryCNXkVL6+Rs0X8tzeum+eklXOFhsYgrCL8FsrO9mKussQ93VjHh5Mhnk/IqP9l 50dnrBKxGH5mREhj4LOJLWGgACxypcZirkhuFVZQ= Received: from [192.168.145.49] (ip-89-177-27-225.bb.vodafone.cz [89.177.27.225]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by elsa.codelab.cz (Postfix) with ESMTPSA id CB08ED7891; Tue, 5 Mar 2024 10:29:04 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=quip.cz; s=private; t=1709630944; bh=x7OcWcR2vPLIAtvhhU/DhEfMXuKecotTbGp2P0Uagsk=; h=Date:Subject:To:References:From:In-Reply-To; b=QlEEj61oL6TSzqOvNDf6O10ktzvD+ibhP/b+YQgjyCvP5LmlQCWViTG0o0FCBR7M1 6OjHPsHmhvjukdSA8kq8I4sHrFNSm4+g20uy2iHclN9gNmdqCDTah569wn5Zqg9n8S liqVpy8UJdxyMH/oRZIp7dpPJ1ON5L61apLbdpCE= Message-ID: <88035aa9-bfd1-41f4-ba9a-08b2bc8441d1@quip.cz> Date: Tue, 5 Mar 2024 10:29:04 +0100 List-Id: Technical discussion and general questions about packet filter (pf) List-Archive: https://lists.freebsd.org/archives/freebsd-pf List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: dumb question about "no state" To: "Eugene M. Zheganin" , freebsd-pf@freebsd.org References: Content-Language: en-US From: Miroslav Lachman <000.fbsd@quip.cz> In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-Spamd-Bar: ---- X-Rspamd-Pre-Result: action=no action; module=replies; Message is reply to one we originated X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[]; ASN(0.00)[asn:42000, ipnet:94.124.104.0/21, country:CZ] X-Rspamd-Queue-Id: 4TpqyL2JX2z4R9M On 05/03/2024 09:11, Eugene M. Zheganin wrote: > Hello, > > I hope the following is self-explanatory: > > > pfctl -vs rules: > > [...] > > pass quick proto tcp all flags A/A no state >   [ Evaluations: 1125881   Packets: 972814    Bytes: 421350757 States: > 82    ] >   [ Inserted: uid 0 pid 28187 State Creations: 82    ] > > man pf.conf: >      pass  The packet is passed; state is created unless the no state > option is specified. > > > Why does this rule create states ? Am I misreading/misunderstanding the > part "state is created unless the no state option is specified" ? Also from the man page, few lines after your citation: By default pf(4) filters packets statefully; the first time a packet matches a pass rule, a state entry is created; for subsequent packets the filter checks whether the packet matches any state. Kind regards Miroslav Lachman