The following reply was made to PR kern/28418; it has been noted by GNATS.

From: Darren Reed <darrenr@NetBSD.org>
To: Christos Zoulas <christos@zoulas.com>
Cc: gnats-bugs@netbsd.org
Subject: Re: kern/28418
Date: Thu, 16 Jun 2005 22:52:33 +0000

 On Sat, Jun 11, 2005 at 02:06:29PM -0400, Christos Zoulas wrote:
 > On Jun 11, 11:46am, darrenr@netbsd.org (Darren Reed) wrote:
 > -- Subject: Re: kern/28418
 > 
 > | Did this problem eventually get fixed ?
 > 
 > Yes, but each time we import a new version of ipf, I have to re-apply
 > the patch.
 
 Now I see what the patch is...
 
 What particular scenario are you concerned about?
 People writing:
 pass in quick proto icmp all keep state
 
 and finding ICMP echo-reply packets blocked?
 Or something else?
 
 The problem here is that the "add state" happens after the rule
 processing has been finished.
 
 Maybe a better solution is to move where state gets added so that
 if a rule is a "quick" rule and it is also "keep state", we try and
 add the state immediately and if it fails, continue processing the
 rest of the rules.
 
 Comments ?
 
 Darren