On Mon, Jan 31, 2011 at 04:28:28PM -0800, patrick keshishian wrote: > > --- pf.conf.5 23 Jan 2011 23:34:18 -0000 1.488 > > +++ pf.conf.5 1 Feb 2011 00:01:05 -0000 > > @@ -127,7 +127,7 @@ > > the first time a packet matches a > > .Ar pass > > rule, a state entry is created; for subsequent packets the filter checks > > -whether the packet matches any state. > > +whether the packet matches that state entry. > > but the "subsequent packets" may match any existing states in the > packet filter. Being specific to "that state entry" is confusing > (misleading?) IMO. >
you're right. the correct word is "any" (doh!). so my original idea was just to change "state" to "state entry". henning also pointed out a problem with the "subsequent packets" text. > You may wish to break apart the sentences so that the bit about > "subsequent packets" isn't implicitly related to the preceding > sentence. > > the first time a packet matches a pass rule, a state > entry is created. > > Also consider explaining what defines a state (protocol, family, > src/dst addr/port, rdomain). > > Then continue fresh: > > The packet filter examines each packet to see if > it matches any existing state; allowing it to pass > if such a match is found without evaluation of any > rules. > > this might be a good idea. but we still need to find a place for the "no state" part of the problem. jmc
