Creating span interface using 'dup-to' option
Kristof Provost
kp at FreeBSD.org
Sun Nov 22 19:15:02 UTC 2015
On 2015-11-15 18:33:49 (+0100), Kristof Provost <kp at FreeBSD.org> wrote:
> On the other hand, perhaps there's something we can do about the state
> matching. The problems all start because we match state on the
> duplicated packet. That's not correct, because the rule is set on e.g.
> em0, but the duplicated packet is sent out on em1.
> In fact, from a first reading of the code I don't actually understand
> why we're getting that state match.
>
I've looked at the state matching for a bit. It turns out that by
default packets will match state on any interface (specifically, the
state is saved to the 'all' interface, rather than to the specific
interface it was created on).
That default can be changed with 'set state-policy if-bound'. I'd expect
adding that would work around the problem you see.
Regards,
Kristof
More information about the freebsd-pf
mailing list