On Mon, Aug 25, 2008 at 03:19:17PM +1000, Mikel Lindsaar wrote: > > Thanks for your answer. That mostly answers it. Might be a good > thing to modify the man page on the quick keyword... > > So instead of this in pf.conf(5): > > quick > If a packet matches a rule which has the quick option set, this > rule is considered the last matching rule, and evaluation of subse- > quent rules is skipped. > > We should change it to something like this: ? > > quick > If a packet matches a rule which has the quick option set, this > rule is considered the last matching rule, and evaluation of subse- > quent rules is skipped. Note, if the rule using the quick > directive > states a specific interface, then using quick on a packet does not > guarantee that the packet will make it through the rule set of a > different interface. If using quick on a specific > interface, then you > will need additional rules on other interfaces to approve > or block the > packet. If you want a packet to be globally affected as the last > matching rule, then be sure not to specify an interface when using > the quick directive. >
i think if you read the "on <interface>" description in pf.conf(5), which is immediately after the "quick" description, it answers your question (and avoids the need for a wordy addition, as you suggest). jmc
