On Wed, May 01, 2019 at 12:55:35PM +0200, Mikhail Morfikov wrote: > On 01/05/2019 10:17, Pablo Neira Ayuso wrote: > > Is this what you want to achieve? > > Actually it's not about the rules. Basically I just want to know what > should happen when the set is full. This example was simple, but image > a set where you put 10K or 100K addresses and at some point the set > becomes full. According to the simple example, the packets will skip > the "set" rule and go through the FW without any control (at least > without the one we wanted to achieve using the set). Shouldn't be some > mechanism to drop other packets from IPs that can't fit in the set and > match the drop rule? We can add a catch all element, in case there is no matching. So users can define default action in case no match / set is full.
