pfSense

The "State Killing on Gateway Recovery" options under System > Advanced > Miscellaneous are an "all or nothing" solution. Notably none of the options allow for both of the following at the same time:

• Kill states from the firewall itself for lower-priority gateways
• Keep states from policy routing user rules that specify a (non-group) gateway which is also part of the default failover gateway group.

For example consider the following setup:

• The "State Killing on Gateway Recovery" option is set to "Kill all states for lower-priority gateways".
• The default failover gateway group is called WANGROUP with gateway members WAN1GW (tier 1) and WAN2GW (tier 2).
• Both WAN1GW and WAN2GW are online.
• A user rule policy-routes all traffic to 198.51.100.1 via WAN2GW.
• A user rule policy-routes all other traffic via WANGROUP.

In this configuration states for 198.51.100.1 will be reset each time the filter is reloaded (e.g. as part of the scheduled rules cron job). This happens because the states exist for a lower-priority gateway.

Add a new option which allows for state killing on gateway recovery (for traffic from the firewall itself) without unnecessarily also killing states from policy routing user rules.