Mike, > we have discussed that with bluhm in berlin and initially i had the same > opinion: leave the check in the stack, but he has convinced me that it's > rather pf's job to do it.
I agree. If pf is enabled, it can do the job and there is no need for a second scan. > i'm not against bringing it back and his diff > looks fine to me, esp. since it avoids double check that was there before. His new diff resumes the scan/removal when pf is disabled. It at least tries to do *something* against at least some variations of a blistering attack. that is why I support it. Basically, if he commits his new version, he has retained the filtering for both cases, but sped up the pf-enabled case. > >> The non-pf RH0 filtering case is worthwhile. > > > > and here we disagree. Henning, you are way off the map.
