| Stateful packet inspection is enabled using `stateful' or | `stateful-ends' keywords. The former creates a state which is | uniquely identified by a 5-tuple (source and destination IP | addresses, port numbers and an interface identifier). The latter | excludes the interface identifier and must be used with precaution.Thanks! I guess I'll use it as an excuse to learn some npf :-)
BTW, matching on a state table entry and sending response are two different stories. Your packet comes in on vr1. There's a state table match based on the source ip/port, destination ip/port and the interface. Sounds good? Okay, then let's pass outgoing packet... on which interface? Routing says: on vr0. `stateful-ends` should be great for dynamic routing, when the incoming interface can change on the fly (BGP, etc.) but I'm not sure it has anything to do with the outgoing interface. -- Gergely EGERVARY