ipfilter: keep state per-interface?

To: tech-net%netbsd.org@localhost
Subject: ipfilter: keep state per-interface?
From: Timo Buhrmester <fstd.lkml%gmail.com@localhost>
Date: Mon, 26 Dec 2016 19:56:25 +0100

Hi,

suppose you have a router with two interfaces:
- vr0, behind which is 192.168.0.0/24, and
- vr1, behind which is 192.168.1.0/24

and a (testcase) ipf.conf like this:
  block in quick on vr0 all
  block out quick on vr0 all
  pass in quick on vr1 family inet proto udp from any to any keep state

I noticed that UDP datagrams ingressing on vr1 do get routed out on vr0,
the 'block out on vr0 all' rule notwithstanding.

I assume that is because I keep state on the packets when they arrive
on vr1.

Is this a bug, or is it working as designed?  For some reason, I
assumed there to be per-interface state tables and hence consideration
of the vr0 rules (i.e. I assumed a 'keep state' on a vr1 rule would only
skip looking at the vr1 rules for future matching packets)

Follow-Ups:
- Re: ipfilter: keep state per-interface?
  - From: Egerváry Gergely

Prev by Date: pf: IPv6 stateful forwarding is broken
Next by Date: Re: ipfilter: keep state per-interface?
Previous by Thread: pf: IPv6 stateful forwarding is broken
Next by Thread: Re: ipfilter: keep state per-interface?
Indexes:

Home | Main Index | Thread Index | Old Index