* Jason McIntyre <j...@kerhand.co.uk> [2011-01-30 09:13]: > On Sat, Jan 29, 2011 at 06:26:29PM +0100, Henning Brauer wrote: > > * Ted Unangst <ted.unan...@gmail.com> [2011-01-29 17:36]: > > > On Sat, Jan 29, 2011 at 5:37 AM, Henning Brauer <lists-open...@bsws.de> > > > wrote: > > > > no, that's wrong. match rules that matched during evaluation get their > > > > counters updated. aka, your rule did not match. > > > > > > ok, that's wrong. :) > > > > > > Somebody else told me to add a "pass all" rule at the top of the rule > > > set. Then it did work. But pass all is the default. Somehow adding > > > it explicitly changes the behavior of match rules. I know the rule > > > matches because it does so after adding pass all. > > > > ok, we get into semantic nitpicking... > > there is no default "pass all" rule. > > packets are being passed by default. > > that is an important difference - no state is ever created for those > > packets being passed since they didn't match a pass rule. > > now i wonder wether we fail to update the counters on match rules for > > the !state case... and the more i think about it the more i think that > > is the case. > > yup, indeed. > > not trivial to fix. the state is the link to the match rules. > > > > a change on one of my laptops (now if i knew which...) is likely to > > fix that as a side effect, but it has some bad bugs. no way it makes > > 4.9. and a fix for this issue would be either intrusive or very ugly > > (and still not trivial), thus not a viable option either. live with it > > for now. > > > > did i mention that stateless is pretty dumb anyway? :) > > > > is this correct: > > - match rules will not work if "no state" is also used on the rule (not > sure that would make sense anyway)
well, they do "work". > - all packets are passed by default, but effectively with "no state" correct. > - "no state" is incompatible with counters no, that's wrong. there is a bug with counters on match rules in the no state case, that's gonna be fixed somewhen. > - any packets passed without matching any rules (i.e. are not > specifically blocked) are not accounted for (statistically) well, they still update the global counters. > that seems like a whole heap of gotchas that we don;t talk about. i > think we should try and document this stuff. hmm. it really comes down to the no state for packets not matching any pass rules. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting
