PF match rules questions..

[Onepamopa]

Hello,

Got a few questions in regards to the "match" rules.
From what I understand - they do not create states, and, multiple rules are evaluated (i.e. it's not first/last match "wins")

The question is - why do these rules allow, for example:

match in on ix0 inet proto tcp from any to 11.22.33.44 port = 60000 flags S/SA keep state (source-track rule, max-src-conn 1, overload <maxconn>, src.track 10)
match in on ix0 inet proto tcp from any to 11.22.33.44 port = 60000 flags S/SA keep state (source-track rule, max-src-conn-rate 1/1, overload <connrate>, src.track 10)

And ... nothing gets "overloaded" in the tables?

I also tried:

match in on ix0 inet proto tcp from any to 11.22.33.44 port = 60000 flags S/SA keep state (source-track rule, max-src-conn 1, src.track 10) tag maxconn
match in on ix0 inet proto tcp from any to 11.22.33.44 port = 60000 flags S/SA keep state (source-track rule, max-src-conn-rate 1/1, src.track 10) tag connrate
pass in on ix0 from any tagged maxconn keep state (source-track rule, max-src-conn 1, overload <maxconn>, src.track 10)
pass in on ix0 from any tagged connrate keep state (source-track rule, max-src-conn-rate 1/1, overload <connrate>, src.track 10)

but, for some reason only the 2nd pass rule actually does anything (i.e. overload in table).

As you could probably gather, the idea is to be able to "tell" why an IP went into 1 of the 2 tables. The values 1 and 1/1 are for testing purposes only - to force overloading without making a ton of connections.

Ideas? Why the match rules don't do what (I thought) they should?
Any other option to achieve max-src-conn and max-src-conn-rate overloading in separate tables without the "first/last rule taking precedence" ?