On Wed, Aug 13, 2003 at 01:43:18PM +0200, Hendrik Scholz wrote: > You'd have to add the tos statement to both rules in case you want > the replies to incoming icmp echo request packets to be passed out > with a tos flag set.
Yes. Basic question is: do you want to set the same tos on all packets of one connection (state entry) automatically? Or is setting tos completely unrelated to connections, and you want to do it per packet (no matter what connection the packet might be part of). Doing it in scrub is the second case, scrubbing happens for individual packets before a state lookup is done, hence scrub rules know nothing about state entries (what connection the packet might be part of). Doing it in pass keep state rules could use the state entry association to set tos for all packets of the connection. Daniel
