Hello, thanks for clarifying things.
> However, this solution is not correct for us. Perhaps you have some > other changes in your tree to make it work. > yes, that's correct. We had to make PF SMP friendly. We don't want packet to remove the ONCE rule from its ruleset. Instead the pf_test_rule(), marks rule as deleted and schedules it for garbage collection, so the pf_purge_rule() is never executed by pf_test_rule(). looks like your patch still fits well with our implementation, I'll give it a try. thanks and regards sasha
