Override route-to for hidden firewall host outbound rules?

adam65535

2.1-RC0 (amd64)
built on Thu Jul 18 23:31:28 EDT 2013
FreeBSD 8.3-RELEASE-p8

I want to override the hidden rules below with a floating rule(s).  Note that 1.1.1.42, 45, and 46 are the external firewall IP, WAN carp, and an ip alias.  Ideally there would be an option to keep the route-to from appearing in the rules at all but that is not an option available it seems.

I am not 100% clear on how rules I create in the floating section without quick or even with quick will influence the hidden rules.

Hidden rules exchanging first three octets with 1.1.1:

let out anything from the firewall host itself and decrypted IPsec traffic

…
pass out route-to ( em0 1.1.1.41 ) from 1.1.1.43 to !1.1.1.40/29 keep state allow-opts label "let out anything from firewall host itself"
pass out route-to ( em0 1.1.1.41 ) from 1.1.1.42 to !1.1.1.42/29 keep state allow-opts label "let out anything from firewall host itself"
pass out route-to ( em0 1.1.1.41 ) from 1.1.1.45 to !1.1.1.45/29 keep state allow-opts label "let out anything from firewall host itself"
pass out route-to ( em0 1.1.1.41 ) from 1.1.1.46 to !1.1.1.46/29 keep state allow-opts label "let out anything from firewall host itself"

Will the floating rules below override the route-to or will I need to include quick option... or will it not override them even with that option?

User-defined rules follow

anchor "userrules/*"
pass  out  from 1.1.1.43 to !1.1.1.40/29  label "USER_RULE: Attempt disable route-to by overridding the hidden rule"
pass  out  from 1.1.1.42 to !1.1.1.40/29  label "USER_RULE: Attempt disable route-to by overridding the hidden rule"
pass  out  from 1.1.1.45 to !1.1.1.40/29  label "USER_RULE: Attempt disable route-to by overridding the hidden rule"
pass  out  from 1.1.1.46 to !1.1.1.40/29  label "USER_RULE: Attempt disable route-to by overridding the hidden rule"

The reason for wanting this in case anyone cares...
I want ipsec traffic to be able to switch between two external IPs on a single WAN (Only 1 WAN interface).  One gateway is going to the internet.  The other is a dedicated link to a backup datacenter.  A dynamic route will switch the remote backup site subnet traffic (external IPs) to the internet if the dedicated link goes down.  I don't want to use two wan links because then NAT from LAN to WAN will become a problem for keeping current connections alive during the route switching.  I do not want the firewall to ever kill any active connections on the route changing and have disable all state killing on the firewall.

I want outgoing traffic to just always use the routing table to determine where to send packets and not force any traffic to any specific gateway.

adam65535

After thinking about it more I am sure the rules will over-ride the hidden rules.  I don't really need to restrict the destination though.  All traffic is allowed out from the firewall itself already in another hidden rule so why spend processing checking the destination.

I for some reason was getting confused and thinking the most specific match will apply (the route-to would somehow be a match criteria when it is an option) when I know that is not the case.  The last rule that matches the traffic is what applies with the exception that a match action rule can add things to it (like queues) if before the pass rule.