Swapping of connection states on inbound interface in diagnostics
-
When I try to connect from one VLAN, let's call it the Users VLAN, to a switch that doesn't respond in the Management VLAN, I see two states:
- The state bound to the Users interface shows my user IP -> switch IP:443 and the state: CLOSED:SYN_SENT
- The state bound to the Management interface shows the same user IP -> switch IP:443 but the state: SYN_SENT:CLOSED.
Interface Protocol Source → Destination State Packets USERS tcp 192.168.10.2:58319 → 192.168.99.2:443 CLOSED:SYN_SENT 3 / 0 MANAGEMENT tcp 192.168.10.2:58319 → 192.168.99.2:443 SYN_SENT:CLOSED 3 / 0 According to pfSense documentation, the left side of the state shows the source side, while the right side shows the destination side.
In the state of the interface through which the packet enters the firewall (PF_IN), the source and destination are swapped: CLOSED:SYN_SENT. The code responsible for the swapping can be seen here: https://github.com/freebsd/freebsd-src/blob/3f79bc9ca336f634e1afa262ccf5155882550a8a/sbin/pfctl/pf_print_state.c#L247
What I don't understand is why did pfSense decide to swap the source and destination when the packet direction is PF_IN (incoming). This is really confusing to me as I expect the left side to show the user sending a SYN packet, but the Users interface state is showing it on the right as if it were the switch that sent the SYN packet.
The question is: why does pfSense decide to swap source and destination states in the inbound interface state (in this case Users interface): CLOSED:SYN_SENT ?
Thank you in advance.