From nobody Tue Mar 05 11:55:42 2024 X-Original-To: freebsd-pf@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4TpvCV0Gq7z5CWKC for ; Tue, 5 Mar 2024 11:55:50 +0000 (UTC) (envelope-from SRS0=U52X=KL=quip.cz=000.fbsd@elsa.codelab.cz) Received: from elsa.codelab.cz (elsa.codelab.cz [94.124.105.4]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4TpvCT4vr7z4gVN for ; Tue, 5 Mar 2024 11:55:49 +0000 (UTC) (envelope-from SRS0=U52X=KL=quip.cz=000.fbsd@elsa.codelab.cz) Authentication-Results: mx1.freebsd.org; none Received: from elsa.codelab.cz (localhost [127.0.0.1]) by elsa.codelab.cz (Postfix) with ESMTP id 42D6BD7891; Tue, 5 Mar 2024 12:55:47 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=quip.cz; s=private; t=1709639747; bh=g5L1wzGjq8zRr+NrlJkmdHG5sNlAXmrU4obUmJRrcms=; h=Date:Subject:To:References:From:In-Reply-To; b=Ict7Hn7uJRKqYYQmPQ7iSNNt90i24McXYNU1F8/uNpzjs+U0dj3MxJqnZA1Bz8Pyb J7BuZnp26PN3NwzRBS3P/9VzrBVUoFX0rxQnYwt1NVe3MXrzMft2lSaNVUHi6Q54pm //9v7O63k9i/3I5AqeuIG52v4tlJFcqbnv2ZCOSU= Received: from [192.168.145.49] (ip-89-177-27-225.bb.vodafone.cz [89.177.27.225]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by elsa.codelab.cz (Postfix) with ESMTPSA id EB951D78B9; Tue, 5 Mar 2024 12:55:42 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=quip.cz; s=private; t=1709639743; bh=g5L1wzGjq8zRr+NrlJkmdHG5sNlAXmrU4obUmJRrcms=; h=Date:Subject:To:References:From:In-Reply-To; b=4FSQAF56Mfo+tK8KP5pokhalIJzfMMsaOTsKDgI8mrUxy1TMtKZAnpjGcsrm9pzlR YbaTk0YwGqULvMaBvSDowF8+7rM4rj2v+Ewv09FwNedZDQwrXeKbog4f6mb6IXtbEV j5ihIii83BOkOoVAt8INZGbWsHft+d/JOZl6UAsM= Message-ID: Date: Tue, 5 Mar 2024 12:55:42 +0100 List-Id: Technical discussion and general questions about packet filter (pf) List-Archive: https://lists.freebsd.org/archives/freebsd-pf List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: dumb question about "no state" Content-Language: en-US To: "Eugene M. Zheganin" , freebsd-pf@freebsd.org References: <88035aa9-bfd1-41f4-ba9a-08b2bc8441d1@quip.cz> <3983e6ab-5760-408e-a3a8-b40c8eb24c1d@zhegan.in> From: Miroslav Lachman <000.fbsd@quip.cz> In-Reply-To: <3983e6ab-5760-408e-a3a8-b40c8eb24c1d@zhegan.in> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Spamd-Bar: ---- X-Rspamd-Pre-Result: action=no action; module=replies; Message is reply to one we originated X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[]; ASN(0.00)[asn:42000, ipnet:94.124.104.0/21, country:CZ] X-Rspamd-Queue-Id: 4TpvCT4vr7z4gVN On 05/03/2024 11:30, Eugene M. Zheganin wrote: > Hello, > > On 05.03.2024 14:29, Miroslav Lachman wrote: >> >>> Why does this rule create states ? Am I misreading/misunderstanding >>> the part "state is created unless the no state option is specified" ? >> >> Also from the man page, few lines after your citation: >> >> By default pf(4) filters packets statefully; the first time a packet >> matches a pass rule, a state entry is created; for subsequent packets >> the filter checks whether the packet matches any state. >> > I'm failing to see how this can explain state creation by a rule that > clearly shouldn't create any states at all. Furthermore, state are > (usually) created by a packet with SYN flag, in case of TCP. I am sorry, you are right. I missed the part of your message with 82 states. I have no explanation for that. Kind regards Miroslav Lachman