fasttrack is indeed a cool feature, but it’s current implementation is confusing and misleading. it also breaks the “normal” rule behavior.
when you place a “fasttrack connection” rule in your fw, then packets matched with this rule may or may not be fasttracked. that means, not all matching packets are consumed by this rule, therefore you need an “accept” rule right after the fasttrack rule.
this is not how rules behave. also, you cannot just replace your “accept” rules with “fasttrack”, you have to add them.
so to correct this, the “fasttrack connection” action SHOULD utilize fallback to accept:
- if fasttrack can be applied on a packet, then it is fasttracked.
- if fasttrack can not be applied on a packet, then it is accepted.
then and only then all matched packets are consumed, so no need for additional accept rule and no more “broken behavior”.