On Wed, Aug 10, 2011 at 02:53:02PM +0200, Henning Brauer wrote:
> * Ryan McBride <[email protected]> [2011-08-10 14:49]:
> > On Wed, Aug 10, 2011 at 01:07:28PM +0200, Henning Brauer wrote:
> > > this is indeed the way it was supposed to work.
> >
> > I dissagree. This is not at all what my understanding was of how it was
> > supposed to work. You'd have to talk to dhartmei about his original
> > intent, but as far as I recall the current behaviour was a conscious
> > decision at least when I implemented 'max-src-conn' and
> > 'max-src-states'. I'll admit that the manpage is wrong, though.
>
> the manpage admits what the intent was, really - I remember this
> pretty well.
The incorrect manpage language is new. It used to (correctly) say the
following:
"When this limit is reached, further packets that would create
state are dropped, until existing states time out."
Until "some people" *cough* decided to revise it:
---------------------------------------------------------
CVSROOT: /cvs
Module name: src
Changes by: [email protected] 2007/11/09 08:54:53
Modified files:
share/man/man5 : pf.conf.5
Log message:
when "max <number>" is exceeded, packets are not dropped - rather they
fail to match;
from Doichin Dokov
diff from henning and myself
---------------------------------------------------------
