Hi,
I expected a "match quick ..." rule in pf.conf to terminate ruleset
evaluation without changing the pass/block state. This currently
doesn't work because the check in pf_test_rule always refers to the
most recently matched pass/block rule instead of the one being
evaluated. If the current rule is pass/block, then there is no
difference, but if the current rule is match, then the quick flag is
effectively ignored.
I believe the patch below should fix this (unless it's intentional?),
but I don't have a system where I can compile and test this at the
moment.
- Max
--- sys/net/pf.c.orig
+++ sys/net/pf.c
@@ -3323,7 +3323,7 @@
}
}
- if ((*rm)->quick)
+ if (r->quick)
break;
r = TAILQ_NEXT(r, entries);
} else
