skipto keyword in pf
Ian FREISLICH
ianf at clue.co.za
Wed May 8 11:32:47 UTC 2013
Damien Fleuriot wrote:
> > anchor vlan4 quick on vlan4
> > load anchor vlan4 from "/var/db/firewall/vlan4"
>
> Would you kindly elaborate on the quick keyword in conjunction with anchors ?
According to the manual:
Matching filter and translation rules marked with the quick option are
final and abort the evaluation of the rules in other anchors and the main
ruleset. If the anchor itself is marked with the quick option, ruleset
evaluation will terminate when the anchor is exited if the packet is
matched by any rule within the anchor.
> > and I put the rules for each vlan in their own file. as an example:
>
> If you only use anchors to cleanly split your rules, 9.x's PF supports inclu=
> des, by the way, a feature that's been missing for so long ;)
I use it to segment my rules per interface. include won't have the
same effect in this instance.
> Also, @OP:
> Note that if you use anchors, NAT and rdr rules need to be loaded like so:
>
> nat-anchor test
> rdr-anchor test
> anchor test
> load anchor test from "/etc/pf/anchor_test"
>
> Otherwise, don't be surprised if your NATs and RDRs mysteriously
> aren't applied
I haven't experienced this and I have loads of anchors and NAT and
RDRs that aren't loaded in an anchor. Perhaps I have too much
traffic to tell if some of it bypasses a NAT rule, but as far as I
can tell it doesn't.
Ian
--
Ian Freislich
More information about the freebsd-pf
mailing list