Currently, for any package that hasn't received permission from the ruleset, a search is conducted for its corresponding state in the table from any of the established rules. Such behaviour doesn't seem entirely correct, distorts the count of triggers, especially if the package is allowed both by the state and by some subsequent rule.
Proposed solution
Add the "check-state" action with the possibility of specifying a tag. Then, when such a rule is triggered, a search will be conducted for the package + tag in the state table, and a decision will be made based on the search results: allow/deny.
Support the following syntax for check-state action:
add check-state [tag]
If no tag is given, use the default. Works just like described above.
add check-state
Check the state for all packets. This syntax is similar to ipfw.
Also add the ability to specify a tag for the "keep-state" action.
The tag only changes the composition of the key from 5-tuple to 5-tuple+tag; t is not intended to create separate hash tables inside.
Problem
Currently, for any package that hasn't received permission from the ruleset, a search is conducted for its corresponding state in the table from any of the established rules. Such behaviour doesn't seem entirely correct, distorts the count of triggers, especially if the package is allowed both by the state and by some subsequent rule.
Proposed solution
Add the "check-state" action with the possibility of specifying a tag. Then, when such a rule is triggered, a search will be conducted for the package + tag in the state table, and a decision will be made based on the search results: allow/deny. Support the following syntax for check-state action:
Also add the ability to specify a tag for the "keep-state" action. The tag only changes the composition of the key from 5-tuple to 5-tuple+tag; t is not intended to create separate hash tables inside.