On Thu, Feb 1, 2018 at 2:53 PM, S. Donaldson <donald...@sedsystems.ca> wrote:
> Thus if one applies 'quick' to a match rule one could end up consigning
> packets to 'packet purgatory' ? Which is what I did.
> Is 'match quick' ever valid?
It could be. For example:
pass out on $if inet proto tcp from any to $if:network port 22
# this device needs unaltered packets but has full routing info to send replies
match out quick on $if to 184.108.40.206 tag NoNat
# but most devices have no route tables, or default routes point
elsewhere, so use NAT to ensure we get replies
match out on $if to $if:network nat-to $if
In this example you use match out quick to prevent evaluation of the
next match out (which will NAT your packet, which in this example you
want for most hosts but not this particular one). It's a contrived
example but it could happen.