Date: Wed, 1 May 2013 00:46:52 -0700 (PDT) From: Nomad Esst <noname.esst@yahoo.com> To: pf list <freebsd-pf@freebsd.org> Subject: skipto keyword in pf Message-ID: <1367394412.46533.YahooMailNeo@web162703.mail.bf1.yahoo.com>
next in thread | raw e-mail | index | archive | help
Hi list I have been using IPFW for years, now because of some reasons I'm migrating to PF. In IPFW we can use the "skipto" keyword in order to change the order of checking the rules. How can I do this in PF? Another one, is it possible to filter in/out coming traffic according to the source/destination MAC address separately? Thank you all ... From owner-freebsd-pf@FreeBSD.ORG Thu May 2 00:29:27 2013 Return-Path: <owner-freebsd-pf@FreeBSD.ORG> Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id B8960B7 for <freebsd-pf@freebsd.org>; Thu, 2 May 2013 00:29:27 +0000 (UTC) (envelope-from ddesimone@verio.net) Received: from relay2-bcrtfl2.verio.net (relay2-bcrtfl2.verio.net [131.103.218.177]) by mx1.freebsd.org (Postfix) with ESMTP id 75F8A1C0E for <freebsd-pf@freebsd.org>; Thu, 2 May 2013 00:29:27 +0000 (UTC) Received: from iad-wprd-xchw01.corp.verio.net (iad-wprd-xchw01.corp.verio.net [198.87.7.164]) by relay2-bcrtfl2.verio.net (Postfix) with ESMTP id 673491FF0060; Wed, 1 May 2013 19:59:51 -0400 (EDT) Thread-Index: Ac5Gx/fuTbam65opS0+7VNf9S7P/wg== Received: from hometx-733b1p1.corp.verio.net ([10.144.2.53]) by iad-wprd-xchw01.corp.verio.net over TLS secured channel with Microsoft SMTPSVC(6.0.3790.4675); Wed, 1 May 2013 19:59:50 -0400 Received: by hometx-733b1p1.corp.verio.net (sSMTP sendmail emulation); Wed, 01 May 2013 18:59:47 -0500 Date: Wed, 1 May 2013 18:59:47 -0500 Content-Transfer-Encoding: 7bit From: "David DeSimone" <fox@verio.net> To: "Nomad Esst" <noname.esst@yahoo.com> Content-class: urn:content-classes:message X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.4913 Importance: normal Priority: normal Subject: Re: skipto keyword in pf Message-ID: <20130501235946.GS6396@verio.net> Mail-Followup-To: Nomad Esst <noname.esst@yahoo.com>, pf list <freebsd-pf@freebsd.org> References: <1367394412.46533.YahooMailNeo@web162703.mail.bf1.yahoo.com> MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Disposition: inline In-Reply-To: <1367394412.46533.YahooMailNeo@web162703.mail.bf1.yahoo.com> Precedence: bulk User-Agent: Mutt/1.5.20 (2009-12-10) X-OriginalArrivalTime: 01 May 2013 23:59:50.0176 (UTC) FILETIME=[F74CBA00:01CE46C7] Cc: pf list <freebsd-pf@freebsd.org> X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 List-Id: "Technical discussion and general questions about packet filter \(pf\)" <freebsd-pf.freebsd.org> List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-pf>, <mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe> List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>; List-Post: <mailto:freebsd-pf@freebsd.org> List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help> List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>, <mailto:freebsd-pf-request@freebsd.org?subject=subscribe> X-List-Received-Date: Thu, 02 May 2013 00:29:27 -0000 Nomad Esst <noname.esst@yahoo.com> wrote: > > I have been using IPFW for years, now because of some reasons I'm > migrating to PF. In IPFW we can use the "skipto" keyword in order to > change the order of checking the rules. How can I do this in PF? PF processes rules from top to bottom for every packet, only aborting the rule evaluation in the case that the "quick" keyword is used to render a decision immediately. If you are trying to avoid having to evaluate all of your rules on every packet, you should read up on the "anchor" feature, which allows you to perform a type of "subroutine call", evaluating a different ruleset upon some condition. You could conceivably use that to evaluate some rules and come to a decision without having to evaluate all of the rules in a policy. It would take some rethinking of your existing rules, no doubt. > Another one, is it possible to filter in/out coming traffic according > to the source/destination MAC address separately? As far as I'm aware, PF is a layer-3 only filter, and has no ability to filter on MAC. -- David DeSimone == Network Admin == fox@verio.net "I don't like spinach, and I'm glad I don't, because if I liked it I'd eat it, and I just hate it." -- Clarence Darrow This email message is intended for the use of the person to whom it has been sent, and may contain information that is confidential or legally protected. If you are not the intended recipient or have received this message in error, you are not authorized to copy, distribute, or otherwise use this message or its attachments. Please notify the sender immediately by return e-mail and permanently delete this message and any attachments. Verio Inc. makes no warranty that this email is error or virus free. Thank you.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1367394412.46533.YahooMailNeo>