On Sat, Jan 29, 2011 at 06:26:29PM +0100, Henning Brauer wrote: > * Ted Unangst <ted.unan...@gmail.com> [2011-01-29 17:36]: > > On Sat, Jan 29, 2011 at 5:37 AM, Henning Brauer <lists-open...@bsws.de> > > wrote: > > > no, that's wrong. match rules that matched during evaluation get their > > > counters updated. aka, your rule did not match. > > > > ok, that's wrong. :) > > > > Somebody else told me to add a "pass all" rule at the top of the rule > > set. Then it did work. But pass all is the default. Somehow adding > > it explicitly changes the behavior of match rules. I know the rule > > matches because it does so after adding pass all. > > ok, we get into semantic nitpicking... > there is no default "pass all" rule. > packets are being passed by default. > that is an important difference - no state is ever created for those > packets being passed since they didn't match a pass rule. > now i wonder wether we fail to update the counters on match rules for > the !state case... and the more i think about it the more i think that > is the case. > yup, indeed. > not trivial to fix. the state is the link to the match rules. > > a change on one of my laptops (now if i knew which...) is likely to > fix that as a side effect, but it has some bad bugs. no way it makes > 4.9. and a fix for this issue would be either intrusive or very ugly > (and still not trivial), thus not a viable option either. live with it > for now. > > did i mention that stateless is pretty dumb anyway? :) >
is this correct: - match rules will not work if "no state" is also used on the rule (not sure that would make sense anyway) - all packets are passed by default, but effectively with "no state" - "no state" is incompatible with counters - any packets passed without matching any rules (i.e. are not specifically blocked) are not accounted for (statistically) that seems like a whole heap of gotchas that we don;t talk about. i think we should try and document this stuff. jmc
