From owner-freebsd-ipfw@FreeBSD.ORG Thu Jun 4 22:23:49 2009 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3122F106566B for ; Thu, 4 Jun 2009 22:23:49 +0000 (UTC) (envelope-from fjwcash@gmail.com) Received: from mail-gx0-f207.google.com (mail-gx0-f207.google.com [209.85.217.207]) by mx1.freebsd.org (Postfix) with ESMTP id E18808FC19 for ; Thu, 4 Jun 2009 22:23:48 +0000 (UTC) (envelope-from fjwcash@gmail.com) Received: by gxk3 with SMTP id 3so562549gxk.19 for ; Thu, 04 Jun 2009 15:23:48 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:date:message-id:subject :from:to:content-type:content-transfer-encoding; bh=o/ulJbdxEaZvwjP2IQYPvxSbr0pqbfxU3U3JNY16ub4=; b=YJ1fu/3kCOfHZO2joijcV7bJ7g1lRNe7Bga6xiEPTdnY9b+u7cWUZysMjRTx954PnA qbgmQ9fCe19T7eRasl/p5Hj1xFmzHhgi0EBYy3j2y8LOBhMpBzbt88KedAPV1IFy4Oif I9Xiw2UOKtrX+AdFV1D9Rg3v6Sdi3SYjJU4ls= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type :content-transfer-encoding; b=woqcALjFyK7QA6EAOTN6UWgvA/lsMS7Y25EwHXb3MPbDe0kvOLIXLgONuNVKBgtC6u b4J3XcOFIylajrCihiwYqlY3fGXmZrb6NKNFxhpO0CBkeD5wwurpzQgA98Xfk7IQzEEj vPQAQho3FoUsdAnHO54heCXG/qp0H9S1OmRNo= MIME-Version: 1.0 Received: by 10.151.139.3 with SMTP id r3mr4577941ybn.137.1244154228315; Thu, 04 Jun 2009 15:23:48 -0700 (PDT) Date: Thu, 4 Jun 2009 15:23:48 -0700 Message-ID: From: Freddie Cash To: freebsd-ipfw@freebsd.org Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Subject: Rules processing in ipfw: processing ends with rule 65535 or first match? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 04 Jun 2009 22:23:49 -0000 Over the years, various how-tos and docs that I've read comparing ipfw to ipf and pf have categorised them as such: - ipf/pf compares the packet against every rule in the ruleset, and the last matching action is used once the end of the ruleset is reached (last-match-wins) - ipfw compares the packet against the rules, and stops processing the rulesset once a rule matches (first-match-wins) And, if one wants to get the ipfw behaviour in ipf/pf, they can use the "quick" keyword, which stops processing of the ruleset as soon as one of those rules matches. IOW, for a ruleset with 1000 rules, ipf/pf will scan every single rule for every single packet; and ipfw will only scan the ruleset up to the first matching rule. In theory, the ipfw method would be a lot faster, and less intensive. However, reading through the man page for ipfw(8) on FreeBSD 7.2, it lists the following (Description section): The packet passed to the firewall is compared against each of the rules in the firewall ruleset. When a match is found, the action corresponding to the matching rule is performed. And, later, in the Packet Flow section: Also note that each packet is always checked against the complete rule- set, irrespective of the place where the check occurs, or the source of the packet. These make it sound like ifpw processes the entire ruleset for every packet, regardless of when a match occurs. So, which is it? Is ipfw a first-match-wins and rule processing ends setup? Or does it check every single rule for every single packet? -- Freddie Cash fjwcash@gmail.com