freebsd 8

Peter Maxwell peter at allicient.co.uk
Fri Jan 8 11:15:05 UTC 2010


2010/1/8 Olivier Thibault <Olivier.Thibault at lmpt.univ-tours.fr>:
> Le 08.01.2010 11:31, Peter Maxwell a écrit :
>>
>> 2010/1/8 Olivier Thibault <Olivier.Thibault at lmpt.univ-tours.fr>:
>>
>>>> # keep stats of outging connections
>>>> pass out keep state
>>>
>>> This rule allows everything out and next outgoing rules won't be checked
>>> as
>>> this one first match.
>>
>> That's incorrect, pf does the opposite and uses the *last* match - at
>> least that's what the documentation says...
>> http://www.openbsd.org/faq/pf/filter.html
>>
>> The quick keyword is used for shortcut evaluation.
>
> Yes ! Actually, all the following rules in my pf.conf use this keyword.
> That's why I said that.
> I suppose the rules evaluation is quicker this way but I may be wrong.
> Am I ?

Erm, mostly wrong... it wouldn't improve performance if even a
majority of your rules use it, in that case all you've done is change
last match processing to first match processing.

If when pf is actually processing packets (this is not the same as
loading your rule set), lets assume that the packets are evaluated
against each rule in a sequential manner.   With that assumption,
having most of your rules *without* the quick keyword then only use
quick for those rules near the top of your ruleset that process a
large amount of new connections (again, not synonymous with traffic -
it's new connections that matter), in that case you may see a
performance improvement.  For example, say you have a complex ruleset
but lots of incoming connections on port 80 - then using the quick
keyword and placing the rule near the top of your ruleset may improve
things.

However, that assumes pf goes through the rules in a sequential manner
when actually processing packets - that may not be true.  My advice
would be to put a single 'block all' rule at the top, then have the
remainder of your rules doing 'pass': it is much much easier to read
and debug.  What is more valuable to you, saving hours on debuging a
firewall box or a 2% performance improvement?  It is also unlikely
you'd be getting enough traffic to warrant the use of 'quick' ;-)

Most other packet filters/firewalls I've used use match first.
Logically using match last is no different (you essentially just write
your rule set upside-down), but it is actually my preference.


More information about the freebsd-pf mailing list