> On Sun, Aug 14, 2005 at 04:03:53PM +1000, Darren Reed wrote: > > for "quick" rules that do "keep state", move the state adding into the rule > > evaluation so that we can detect it failing as rules are evaluated and > > continue on to the next rather than wait until we're done and it's too late > > to recover for more rule processing. > > You mean that when you have a quick+keep state rule, and the state addition > fails, that the packet will be matched against the following rules???? > > I hope I'm misunderstanding.
No, you're not. Or rather, the keep-state rule is "ignored." The problem was this. With quick keep-state rules, it used to be that if the packet matched but failed to create state then it would still be passed. This seemed like an error to me, so I modified the behaviour to be such that a packet that failed to create state would be automatically blocked. This caused further problems for a different set of people, so it seemed like the right thing to do was make adding state part of the requirements for a successful match if "quick" was involved. Comments ? Darren
