Hello list,
I have purchased and read the book of PF (good book by the way) as
well as the man pages, and I have a question that I have not been able
to find a definitive answer on:
"Does PF only evaluate every packet against the ruleset once on all
interfaces, or does it evaluate once for each interface?"
What I mean is, does a matching pass quick rule on one interface (say
$int_if) then also guarantee egress on another interface that has a
block rule?
Per pf.conf(5):
For each packet processed by the packet filter, the filter rules are
evaluated in sequential order, from first to last. The last matching
rule decides what action is taken. If no rule matches the packet, the
default action is to pass the packet.
.....
If a packet matches a rule which has the quick option set, this
rule is considered the last matching rule, and evaluation of subse-
quent rules is skipped.
But this only says 'for each packet processed' not how many times it
may or may not process that packet. I assume it does it just once, but
I have been wrong before :)
For a contrived example:
1 pass in quick on $int_if route-to ($ext_if, $ext_gw) from any to any
2 block out quick on $ext_if from any to any
Given a packet comming in on $int_if, rule(1) matches so rule(2) would
not be evaluated.
Given a packet originating from localhost, rule(1) does not match so
rule(2) would be matched.
Am I correct on this understanding?
Mikel
