Request to modify PF skip-steps code to upgrade to magic-jumps
Currently PF uses skip-steps to move towards rules that couldn't match.
It uses to look for the next rule with a different value for the option that
didn't match.
Example:
1) pass in quick on rl0 inet proto tcp from $ip1 port 80 to any
2) pass in quick on rl0 inet proto udp from $ip1 port 53 to any
3) pass in quick on rl0 inet proto udp from $ip2 port 514 to any
4) pass in quick on rl0 inet proto tcp from $ip2 port 25 to any
5) block in quick on rl0 all
Imagine a TCP packet going inside rl0 coming from $ip3.
PF evaluates the first rule, all parameters match up to the source address,
which doesn't match. So the first rule is found not to match. The second rule
is skipped, since it specifies the same mismatching source address and
evaluation continues on rule #3.
Note that it's impossible for rule #3 to match because on rule #1 PF said that
proto tcp was ok, how could it be udp ok now ?
This means that PF simply look at the not-matching-parameter.
Here magic-jumps play:
the trick is jumping to the next rule provided by skip-steps engine only if
all parameters on the left are the matchable with the original rule that
didn't match.
Infact using this added check, PF will jump rule #3 because proto is changed
(#1=tcp, #3=udp) and will jump to rule #4.
Obviously this is a small example, however magic-jumps could add some speed up
even if ruleset aren't exactly skip-step-ordered.
Ed
# RFC @ hacking.openbsd.it
