If the label keyword is something like the tag keyword, then the last one sticks.
However, you cannot (to my knowledge) exclude a port from a range. You could, however, have two rules with the disjoint ranges, or subtract the statistics of the narrow rule (matching that one port) from the more broad rule. Or, you could make the narrow rule come first and use "quick" to prevent it from matching the broad rule which follows. It is unfortunate that such transformations will affect your rule processing, but the two are intertwined at the moment. -- http://www.lightconsulting.com/~travis/ -><- Knight of the Lambda Calculus "We already have enough fast, insecure systems." -- Schneier & Ferguson GPG fingerprint: 50A1 15C5 A9DE 23B9 ED98 C93E 38E9 204A 94C2 641B
