Rules processing in ipfw: processing ends with rule 65535 or
first match?
Ian Smith
smithi at nimnet.asn.au
Fri Jun 5 06:04:54 UTC 2009
On Thu, 4 Jun 2009, Freddie Cash wrote:
> Over the years, various how-tos and docs that I've read comparing ipfw
> to ipf and pf have categorised them as such:
>
> - ipf/pf compares the packet against every rule in the ruleset, and
> the last matching action is used once the end of the ruleset is
> reached (last-match-wins)
>
> - ipfw compares the packet against the rules, and stops processing
> the rulesset once a rule matches (first-match-wins)
That's true for terminal actions (allow, deny) but not for non-terminal
actions (esp. skipto), but also pipe, queue, divert, nat .. which may
continue rule processing, modulo net.inet.ip.fw.one_pass, until a match
with a terminal action occurs. worst case, rule 65535 always matches.
> And, if one wants to get the ipfw behaviour in ipf/pf, they can use
> the "quick" keyword, which stops processing of the ruleset as soon as
> one of those rules matches.
>
> IOW, for a ruleset with 1000 rules, ipf/pf will scan every single rule
> for every single packet; and ipfw will only scan the ruleset up to the
> first matching rule. In theory, the ipfw method would be a lot
> faster, and less intensive.
I can't comment on ipf or pf or their relative efficiencies.
> However, reading through the man page for ipfw(8) on FreeBSD 7.2, it
> lists the following (Description section):
> The packet passed to the firewall is compared against each
> of the rules in the firewall ruleset. When a match is found, the action
> corresponding to the matching rule is performed.
Yes, but noting the following para:
Depending on the action and certain system settings, packets can be rein-
jected into the firewall at some rule after the matching one for further
processing.
> And, later, in the Packet Flow section:
> Also note that each packet is always checked against the complete rule-
> set, irrespective of the place where the check occurs, or the source of
> the packet.
That's referring to where ipfw is invoked from on each pass, eg from
ip_input or ip_output at layer 3, or ether_demux or ether_output_frame
if filtering at layer 2 for routing, or bdg_forward if bridging. In
each such ipfw pass invoked on a packet, that indicates rule scanning
starts at the beginning of the ruleset and ends on a (terminal) match.
> These make it sound like ifpw processes the entire ruleset for every
> packet, regardless of when a match occurs.
>
> So, which is it? Is ipfw a first-match-wins and rule processing ends
> setup? Or does it check every single rule for every single packet?
First _terminal_ match terminates the search. Just saw Julian's post
arrive .. dynamic rules matching state indeed short-circuit the search
at the first encountered check-state or keep-state rule, though even in
that case the action may be a skipto rather than a terminal action.
cheers, Ian
More information about the freebsd-ipfw
mailing list