On Wed, Aug 17, 2005 at 01:12:00AM +1000, Darren Reed wrote: > No, you're not. Or rather, the keep-state rule is "ignored." > > The problem was this. > > With quick keep-state rules, it used to be that if the packet matched > but failed to create state then it would still be passed. > > This seemed like an error to me, so I modified the behaviour to be such > that a packet that failed to create state would be automatically blocked. > > This caused further problems for a different set of people, so it seemed > like the right thing to do was make adding state part of the requirements > for a successful match if "quick" was involved. >
Ok, I see. What abou this: I can imagine things like this: pass in log on if0 quick log from 10.0.0.1 to any keep state pass in on if0 quick log from 10.0.0.0/8 to any keep state A failure in keeping state means the session would not be logged. Perhaps there are other actions than "log" that could be used in the above way (e.g. routing to some adres) Perhaps there should be a tunable parameter that specifies this. -Guido
