(Resending, I fessed up the inline reply) Arigato gojaimas Trondd san for your very helpful reply.
I had understood from the documentation that tags were sticky. I also understood that a packet can only have zero or one tag at any time. Also, that a tag cannot be removed, but only replaced. However, I had not understood that the rule evaluation happens on every interface. I now know that the "tags are sticky" actually implies that the tags persist across evaluations on interfaces. Also, I can now fully understand this line - "With tagging, it's possible to do such things as create "trusts" between interfaces and determine if packets have been processed by translation rules." Frankly, it is my mistake. Reading back pf.conf's man page, it is there on the second paragraph. "Each time a packet processed by the packet filter comes in on or goes out through an interface, the filter rules are evaluated in sequential order, from first to last." And NAT implies two interface traversals. Mea Culpa. Thanks. Regards, ab
