On Wed, Jul 31, 2013 at 3:53 AM, Stuart Henderson <[email protected]> wrote:
> On 2013/07/30 14:41, Maxim Khitrov wrote:
>> I expected a "match quick ..." rule in pf.conf to terminate ruleset
>> evaluation without changing the pass/block state.
>
> "match quick" seems like a config error to me, what use would it have?
> maybe it should just be rejected?
I think it's nice way of preventing errors. It gives you a way of
applying the default block rule, unless something else was matched, in
the middle of evaluation. For example, if you're ordering your ruleset
by interface, a simple "match quick on egress" at the end of all the
egress rules ensures that none of the subsequent rules accidentally
match egress traffic if you make a mistake.
This should also improve ruleset evaluation performance by giving you
the equivalent of a "break" statement. Even for simple cases like NAT,
if you're mapping a long list of IPs as the final step in outbound
processing, marking the match rules as quick allows you to skip the
rest of the ruleset and take the appropriate action.
I don't see any good reasons why this shouldn't be allowed, but if the
decision is to restrict quick to pass/block rules, then pfctl should
be updated to complain about it being used with match.
One other consideration for this patch is what happens for constructs like:
anchor quick {
match all
}
Should this terminate evaluation as well?
