Rules processing in ipfw: processing ends with rule 65535 or first
match?
Freddie Cash
fjwcash at gmail.com
Thu Jun 4 22:23:49 UTC 2009
Over the years, various how-tos and docs that I've read comparing ipfw
to ipf and pf have categorised them as such:
- ipf/pf compares the packet against every rule in the ruleset, and
the last matching action is used once the end of the ruleset is
reached (last-match-wins)
- ipfw compares the packet against the rules, and stops processing
the rulesset once a rule matches (first-match-wins)
And, if one wants to get the ipfw behaviour in ipf/pf, they can use
the "quick" keyword, which stops processing of the ruleset as soon as
one of those rules matches.
IOW, for a ruleset with 1000 rules, ipf/pf will scan every single rule
for every single packet; and ipfw will only scan the ruleset up to the
first matching rule. In theory, the ipfw method would be a lot
faster, and less intensive.
However, reading through the man page for ipfw(8) on FreeBSD 7.2, it
lists the following (Description section):
The packet passed to the firewall is compared against each
of the rules in the firewall ruleset. When a match is found, the action
corresponding to the matching rule is performed.
And, later, in the Packet Flow section:
Also note that each packet is always checked against the complete rule-
set, irrespective of the place where the check occurs, or the source of
the packet.
These make it sound like ifpw processes the entire ruleset for every
packet, regardless of when a match occurs.
So, which is it? Is ipfw a first-match-wins and rule processing ends
setup? Or does it check every single rule for every single packet?
--
Freddie Cash
fjwcash at gmail.com
More information about the freebsd-ipfw
mailing list