So the "Proper use of self" post made me ponder about the proper use of
"quick". My ruleset consists of a lot of "quick" rules (more than 90%) because
in my mind its faster to stop evaluating any further rules if it isn't needed.
But it feels weird that every rule I write now always has "quick" and it's
making me wonder if that's wrong because nearly all other pf ruleset's I see
don't use "quick" so much. Is heavy use of "quick" bad / be avoided or am I
just writing my rules wrong? I am actually curious myself how nearly all my
rules devolved into being "quick".
Here is an example of some rules for ipv6 I have:
```
..// More rules above
# Allow ipv6 NDP neighbor solicitation and neighbor advertisements
# to/from our router. Packets sent to the router will not be forwarded
# to other subnets. Pass in rule must come before our urpf-failed check.
pass in quick on !egress inet6 proto icmp6 from <local_src_addrs_ipv6> to
ff02::1:ff00:0/104 icmp6-type neighbrsol
pass out quick on !egress inet6 proto icmp6 from (self) to { fe80::/10 fc00::/7
ff02::1:ff00:0/104 2000::/3 } icmp6-type neighbrsol
pass in quick on !egress inet6 proto icmp6 to { (self) ff02::1 } icmp6-type
neighbradv
pass out quick on !egress inet6 proto icmp6 from (self) to { fe80::/10 fc00::/7
ff02::1 2000::/3 } icmp6-type neighbradv
# Allow ipv6 NDP router solicitation to our router and router advertisements
from our router
pass in quick on !egress inet6 proto icmp6 from <local_src_addrs_ipv6> to
ff02::2 icmp6-type routersol
pass out quick on !egress inet6 proto icmp6 from (self) to { ff02::1 fe80::/10
fc00::/7 } icmp6-type routeradv
# RFC951 Allow BOOTP/DHCP DISCOVER in the scenario that the router is
# the intended bootp server or the router is a bootp client. If required
# across subnets additional rules will be required. This rule must come
# before the check on urpf-failed rule as that rule will explicitly
# block these packets
pass in quick on !egress inet proto udp from port bootpc to { (self)
255.255.255.255 } port bootps no state
pass out quick on !egress proto udp from (self) port bootpc to port bootps
### block packets that fail a reverse path check. we look up the routing
### table, check to make sure that the outbound is the same as the source
### it came in on. if not, it is probably source address spoofed.
### No need for antispoof rules with this rule.
block in log quick from urpf-failed
# Allow ipv6 MLDv2/3 packets (the ipv6 version of IGMP) to reach and be
# sent from router
# https://en.wikipedia.org/wiki/Multicast_Listener_Discovery
pass in quick on !egress proto icmp6 to ff02::16 icmp6-type listenrep
pass in quick on !egress proto icmp6 to ff02::2 icmp6-type listendone
pass out quick on !egress inet6 proto icmp6 from (self) to <localnet_multicast>
icmp6-type listqry
pass quick on !egress proto udp to <localnet_multicast>
..// More rules below
```
Thanks,
Adonis
