Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 04 Jun 2009 22:33:26 -0700
From:      Julian Elischer <julian@elischer.org>
To:        Freddie Cash <fjwcash@gmail.com>
Cc:        freebsd-ipfw@freebsd.org
Subject:   Re: Rules processing in ipfw: processing ends with rule 65535 or first 	match?
Message-ID:  <4A28AE26.6010805@elischer.org>
In-Reply-To: <b269bc570906041523v2076ec83y90a9b8474199f457@mail.gmail.com>
References:  <b269bc570906041523v2076ec83y90a9b8474199f457@mail.gmail.com>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
Freddie Cash wrote:
> Over the years, various how-tos and docs that I've read comparing ipfw
> to ipf and pf have categorised them as such:
> 
>   - ipf/pf compares the packet against every rule in the ruleset, and
> the last matching action is used once the end of the ruleset is
> reached (last-match-wins)
> 
>   - ipfw compares the packet against the rules, and stops processing
> the rulesset once a rule matches (first-match-wins)
> 
> And, if one wants to get the ipfw behaviour in ipf/pf, they can use
> the "quick" keyword, which stops processing of the ruleset as soon as
> one of those rules matches.
> 
> IOW, for a ruleset with 1000 rules, ipf/pf will scan every single rule
> for every single packet; and ipfw will only scan the ruleset up to the
> first matching rule.  In theory, the ipfw method would be a lot
> faster, and less intensive.
> 
> However, reading through the man page for ipfw(8) on FreeBSD 7.2, it
> lists the following (Description section):
>     The packet passed to the firewall is compared against each
>     of the rules in the firewall ruleset.  When a match is found, the action
>     corresponding to the matching rule is performed.


the packet is compared against each rule it encounters
however it might not encounter a rule by 3 means:

1/ it matches a rule before the rule in question and stops processing
2/ it bypasses the rule in question due to matching a rule with a
    skipto action.
3/ it matches a check-state rule and effectively shortcuts to the
    exact rule that is needed for that session, skipping all
    intermediate rles.


> 
> And, later, in the Packet Flow section:
>     Also note that each packet is always checked against the complete rule-
>     set, irrespective of the place where the check occurs, or the source of
>     the packet.
> 
> These make it sound like ifpw processes the entire ruleset for every
> packet, regardless of when a match occurs.
> 
> So, which is it?  Is ipfw a first-match-wins and rule processing ends
> setup?  Or does it check every single rule for every single packet?
> 




Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?4A28AE26.6010805>