If anyone is able to help test + verify the principle idea I can extend the change to cater for early NIS and DNS so that no special infrastructure to do multiple runs is needed.
The patch can in theory be backported to firehol although it does depend on some earlier patches.
I appreciate this is not a direct reference to firehol, but I have put together a patch for my fork, sanewall, see here:
http:// lists.sanewall. org/pipermail/ sanewall- dev/2013- March/000042. html
If anyone is able to help test + verify the principle idea I can extend the change to cater for early NIS and DNS so that no special infrastructure to do multiple runs is needed.
The patch can in theory be backported to firehol although it does depend on some earlier patches.