* Ted Unangst <ted.unan...@gmail.com> [2011-01-29 17:36]: > On Sat, Jan 29, 2011 at 5:37 AM, Henning Brauer <lists-open...@bsws.de> > wrote: > > no, that's wrong. match rules that matched during evaluation get their > > counters updated. aka, your rule did not match. > > ok, that's wrong. :) > > Somebody else told me to add a "pass all" rule at the top of the rule > set. Then it did work. But pass all is the default. Somehow adding > it explicitly changes the behavior of match rules. I know the rule > matches because it does so after adding pass all.
ok, we get into semantic nitpicking... there is no default "pass all" rule. packets are being passed by default. that is an important difference - no state is ever created for those packets being passed since they didn't match a pass rule. now i wonder wether we fail to update the counters on match rules for the !state case... and the more i think about it the more i think that is the case. yup, indeed. not trivial to fix. the state is the link to the match rules. a change on one of my laptops (now if i knew which...) is likely to fix that as a side effect, but it has some bad bugs. no way it makes 4.9. and a fix for this issue would be either intrusive or very ugly (and still not trivial), thus not a viable option either. live with it for now. did i mention that stateless is pretty dumb anyway? :) -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting
