pf packet processing internals

[Daniel Hamlin <hamlin_(_at_)_rose-hulman_(_dot_)_edu>]

I want to make sure I have a clear understand about how pf handles
packets. I've read the PF guide, searched Google with "pf packet
processing" "OpenBSD pf internals" "pf process packet OpenBSD", searched
the mailing lists, searched MARC, and I've read the FAQ.

My question is, does pf process each packet twice (once when the packet
comes in and once when it goes out?)  I know the documentation says "the
last matching rule wins", but when I use the following pf.conf (on 3.6
GENERIC), my traffic is blocked:

pass all
block in on fxp1 from 192.168.0.2 to any
pass out on fxp0 from 192.168.0.2 to any

The test computer (192.168.0.2) is on the fxp1-side of the firewall, so
it's traffic would be coming in fxp1 (and thus would match rule 2), the
traffic is destined for a device on the fxp0 side (and should match rule
3).  If "the last matching rule wins", then I would expect my traffic to
be passed, but it isn't.  When I comment out rule 2, traffic flows as
expected.

If pf processes the packet twice (once for in, once for out), then I
would expect the behavior I'm seeing.  Am I missing something?  Is there
any documentation about how packets flow through pf?  I've seen some
diagrams for Linux's iptables, but I haven't found any for pf.

Dan Hamlin