On 2011 Aug 10 (Wed) at 22:08:25 +0900 (+0900), Ryan McBride wrote: :On Wed, Aug 10, 2011 at 02:53:02PM +0200, Henning Brauer wrote: :> * Ryan McBride <[email protected]> [2011-08-10 14:49]: :> > On Wed, Aug 10, 2011 at 01:07:28PM +0200, Henning Brauer wrote: :> > > this is indeed the way it was supposed to work. :> > :> > I dissagree. This is not at all what my understanding was of how it was :> > supposed to work. You'd have to talk to dhartmei about his original :> > intent, but as far as I recall the current behaviour was a conscious :> > decision at least when I implemented 'max-src-conn' and :> > 'max-src-states'. I'll admit that the manpage is wrong, though. :> :> the manpage admits what the intent was, really - I remember this :> pretty well. : :The incorrect manpage language is new. It used to (correctly) say the :following: : : "When this limit is reached, further packets that would create : state are dropped, until existing states time out." :
This feels wrong to me. When specifying it in the rule line, I would expect it to matter when pf checks to see if the rule applies. :Until "some people" *cough* decided to revise it: : :--------------------------------------------------------- :CVSROOT: /cvs :Module name: src :Changes by: [email protected] 2007/11/09 08:54:53 : :Modified files: : share/man/man5 : pf.conf.5 : :Log message: :when "max <number>" is exceeded, packets are not dropped - rather they :fail to match; : :from Doichin Dokov :diff from henning and myself :--------------------------------------------------------- : -- I do not fear computers. I fear the lack of them. -- Isaac Asimov
