On Saturday, October 1, "Travis H." wrote: > > Yeah, I neglected stateful matching. I should have said that every > packet that has to run the gauntlet of rules, has to run all of them. > Subsequent reading of the PF FAQ confirms that there's no deep > evaluation-reordering magic going on, that quick rules really are > faster.
There are various optimizations going on, in particular, skip-steps is one that has proven to be effective... :) --Toby.
