Date: Wed, 1 May 2013 22:54:37 -0700 (PDT) From: Nomad Esst <noname.esst@yahoo.com> To: David DeSimone <fox@verio.net> Cc: pf list <freebsd-pf@freebsd.org> Subject: Re: skipto keyword in pf Message-ID: <1367474077.47142.YahooMailNeo@web162705.mail.bf1.yahoo.com> In-Reply-To: <20130501235946.GS6396@verio.net> References: <1367394412.46533.YahooMailNeo@web162703.mail.bf1.yahoo.com> <20130501235946.GS6396@verio.net>
next in thread | previous in thread | raw e-mail | index | archive | help
>> I have been using IPFW for years, now because of some reasons I'm=0A=0A>= > migrating to PF.=A0 In IPFW we can use the "skipto" keyword in order to= =0A>> change the order of checking the rules.=A0 How can I do this in PF?= =0A=0A>PF processes rules from top to bottom for every packet, only abortin= g=0A>the rule evaluation in the case that the "quick" keyword is used to=0A= >render a decision immediately.=0A=0A>If you are trying to avoid having to = evaluate all of your rules on every=0A>packet, you should read up on the "a= nchor" feature, which allows you to=0A>perform a type of "subroutine call",= evaluating a different ruleset upon=0A>some condition. You could conceivab= ly use that to evaluate some rules=0A>and come to a decision without having= to evaluate all of the rules in a=0A>policy.=A0 It would take some rethink= ing of your existing rules, no doubt.=0A=0A=0AHow is it possible? Could you= please come up with some examples?=0AThe traffic I want to decide about, f= irst, must match all features which I want and then do the decision about t= he traffic.=A0 =0A=0AThanks From owner-freebsd-pf@FreeBSD.ORG Thu May 2 07:21:17 2013 Return-Path: <owner-freebsd-pf@FreeBSD.ORG> Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id A6D74C1D for <freebsd-pf@freebsd.org>; Thu, 2 May 2013 07:21:17 +0000 (UTC) (envelope-from z84f5da827serrofq-cs=serrofq.bet@bounce.twitter.com) Received: from ham-cannon.twitter.com (ham-cannon.twitter.com [199.59.148.234]) by mx1.freebsd.org (Postfix) with ESMTP id 91D981A77 for <freebsd-pf@freebsd.org>; Thu, 2 May 2013 07:21:17 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha1; d=twitter.com; s=dkim-201303; c=relaxed/relaxed; q=dns/txt; i=@twitter.com; t=1367479265; h=From:Subject:Date:To; bh=xh9Q1tQqiDsHSTtEx4cCiDPTekQ=; b=a+tF77CBg3nAOcCcNF3evXTD54LiyMElTMuxLRtFKmGlCsCG0xK9nNh8afP9/gyN Cta9bMH4wjzsb5NxvMj0Ql5SJ5pTUfQXbP5x0naFOwlupd1T4jSydz740Aqtdq7S KVyFwAm8sRnvmelImjDa/wMsZKJbe/4nnyyLK0wKlN4=; X-MSFBL: ZnJlZWJzZC1wZkBmcmVlYnNkLm9yZ0BzbWYxLWJkcS0yMy1zcjEtMTY0QEV2ZXJ5 dGhpbmdA Date: Thu, 02 May 2013 07:21:05 +0000 From: "jabbaarbarelly (via Twitter)" <i-serrofq-cs=serrofq.bet-58dc3@postmaster.twitter.com> To: freebsd-pf@freebsd.org Subject: jabbaarbarelly sent you an invitation MIME-Version: 1.0 Message-Id: <20130502072117.A6D74C1D@hub.freebsd.org> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.14 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" <freebsd-pf.freebsd.org> List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-pf>, <mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe> List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>; List-Post: <mailto:freebsd-pf@freebsd.org> List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help> List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>, <mailto:freebsd-pf-request@freebsd.org?subject=subscribe> X-List-Received-Date: Thu, 02 May 2013 07:21:17 -0000 jabbaarbarelly sent you an invitation Twitter helps you stay connected with what's happening right now and with the people and organizations you care about. Accept invitation https://twitter.com/i/70c101fb-f813-4231-9f6c-65b2f33efcca ------------------------ This message was sent by Twitter on behalf of Twitter users who entered your email address to invite you to Twitter. Unsubscribe: https://twitter.com/i/o?t=1&iid=5cc8c08b-e2c2-44d6-89af-8676bd8858d0&uid=0&c=ZNV%2BN6G7N7gem1MifgIcEw4i2qWTZy5m&nid=9+26 Need help? https://support.twitter.com From owner-freebsd-pf@FreeBSD.ORG Thu May 2 11:10:48 2013 Return-Path: <owner-freebsd-pf@FreeBSD.ORG> Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id 8E89DC2C for <freebsd-pf@freebsd.org>; Thu, 2 May 2013 11:10:48 +0000 (UTC) (envelope-from patfbsd@davenulle.org) Received: from smtp.lamaiziere.net (net.lamaiziere.net [94.23.254.147]) by mx1.freebsd.org (Postfix) with ESMTP id 5C3EC1488 for <freebsd-pf@freebsd.org>; Thu, 2 May 2013 11:10:47 +0000 (UTC) Received: from roxette.lamaiziere.net (231.176.97.84.rev.sfr.net [84.97.176.231]) by smtp.lamaiziere.net (Postfix) with ESMTPA id 7397F8E85; Thu, 2 May 2013 13:10:40 +0200 (CEST) Received: from localhost (localhost [127.0.0.1]) by roxette.lamaiziere.net (Postfix) with ESMTP id 91DFA309A; Thu, 2 May 2013 13:10:39 +0200 (CEST) Date: Thu, 2 May 2013 13:10:38 +0200 From: Patrick Lamaiziere <patfbsd@davenulle.org> To: freebsd-pf@freebsd.org Subject: Re: skipto keyword in pf Message-ID: <20130502131038.72cc6020@davenulle.org> In-Reply-To: <1367474077.47142.YahooMailNeo@web162705.mail.bf1.yahoo.com> References: <1367394412.46533.YahooMailNeo@web162703.mail.bf1.yahoo.com> <20130501235946.GS6396@verio.net> <1367474077.47142.YahooMailNeo@web162705.mail.bf1.yahoo.com> X-Mailer: Claws Mail 3.9.0 (GTK+ 2.24.17; amd64-portbld-freebsd9.1) Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" <freebsd-pf.freebsd.org> List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-pf>, <mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe> List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>; List-Post: <mailto:freebsd-pf@freebsd.org> List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help> List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>, <mailto:freebsd-pf-request@freebsd.org?subject=subscribe> X-List-Received-Date: Thu, 02 May 2013 11:10:48 -0000 Le Wed, 1 May 2013 22:54:37 -0700 (PDT), Nomad Esst <noname.esst@yahoo.com> a écrit : > >If you are trying to avoid having to evaluate all of your rules on > >every packet, you should read up on the "anchor" feature, which > >allows you to perform a type of "subroutine call", evaluating a > >different ruleset upon some condition. You could conceivably use > >that to evaluate some rules and come to a decision without having to > >evaluate all of the rules in a policy. It would take some > >rethinking of your existing rules, no doubt. > > > How is it possible? Could you please come up with some examples? > The traffic I want to decide about, first, must match all features > which I want and then do the decision about the traffic. Well, tags could help here. With a concrete example of what you want, it would be easier to suggest a solution. Regards.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1367474077.47142.YahooMailNeo>