* Ryan McBride <[email protected]> [2011-08-10 14:49]: > On Wed, Aug 10, 2011 at 01:07:28PM +0200, Henning Brauer wrote: > > this is indeed the way it was supposed to work. > > I dissagree. This is not at all what my understanding was of how it was > supposed to work. You'd have to talk to dhartmei about his original > intent, but as far as I recall the current behaviour was a conscious > decision at least when I implemented 'max-src-conn' and > 'max-src-states'. I'll admit that the manpage is wrong, though.
the manpage admits what the intent was, really - I remember this pretty well. > One of my greatest ongoing frustrations is the rampant inconsistency in > the pf.conf syntax, so: > > 1) I strongly oppose changing the behaviour of the existing 'max' state > option. Nothing else there, or in any of the other ( ) 'option' setions, > applies until AFTER that rule has been selected as the last-matching > rule, and I think we should keep it that way. point. > If we want this functionality, I think it should be done as a separate > keyword, with the rest of the parameters: puh. isn't that a bit much? > But it's not clear to me that this is actually what's wanted here. > mikeb, can you explain a little more clearly what you're trying to > accomplish with these 'match only one state' rules? and why you aren't just adding the src port as condition? > P.S. Is it really worth slowing down the inner evaluation pf_test_rule() > loop for this relatively little-used feature? IMO, nope ;)
