@Larvitz For each packet of the transit traffic first the states will be checked, and then all other rules one by one. I’d recommend either putting the stateless rules at the beginning, or even make them stateful but allow them to create states for asymmetric traffic ignoring TCP flags.

@david_chisnall There’s a similar issue with some tests for pf. They use a “server” to send network traffic through pf to, and that server is netcat or inetd, spawned from the test shell script with &. Has the process really started? Even if it has, then did it reach the stage where it can accept a connection? There is no way of telling, so the tests are full of `sleep 1` which if you run a lot of them in parallel is not enough and the tests fail. Systemd has sd_notify.

@vermaden Thank you for reminding me to finally add my own release notes :)

@mzar Is that kernel compiled with RSS enabled? Any there any benefits to that?

@mzar But you have thank @kp for that! I ported modern NAT and scrub syntax, he did af-to.

@david_chisnall I don't think so. I had a similar issue with ordering services (wireguard, strongswan, bird) around network startup and ended up developing a resource for Puppet which modifies existing rc files. It is not a perfect solution but since it's automated, the files will eventually be modified after any upgrade or reinstallation of the server.

@EUCommission I’d rather see every centimeter being protected :)

@jbz Haven’t WhatsApp servers been all moved to Linux after Facebook acquired WhatsApp?