Date: Thu, 4 Jun 2009 15:23:48 -0700 From: Freddie Cash <fjwcash@gmail.com> To: freebsd-ipfw@freebsd.org Subject: Rules processing in ipfw: processing ends with rule 65535 or first match? Message-ID: <b269bc570906041523v2076ec83y90a9b8474199f457@mail.gmail.com>
next in thread | raw e-mail | index | archive | help
Over the years, various how-tos and docs that I've read comparing ipfw
to ipf and pf have categorised them as such:
- ipf/pf compares the packet against every rule in the ruleset, and
the last matching action is used once the end of the ruleset is
reached (last-match-wins)
- ipfw compares the packet against the rules, and stops processing
the rulesset once a rule matches (first-match-wins)
And, if one wants to get the ipfw behaviour in ipf/pf, they can use
the "quick" keyword, which stops processing of the ruleset as soon as
one of those rules matches.
IOW, for a ruleset with 1000 rules, ipf/pf will scan every single rule
for every single packet; and ipfw will only scan the ruleset up to the
first matching rule. In theory, the ipfw method would be a lot
faster, and less intensive.
However, reading through the man page for ipfw(8) on FreeBSD 7.2, it
lists the following (Description section):
The packet passed to the firewall is compared against each
of the rules in the firewall ruleset. When a match is found, the action
corresponding to the matching rule is performed.
And, later, in the Packet Flow section:
Also note that each packet is always checked against the complete rule-
set, irrespective of the place where the check occurs, or the source of
the packet.
These make it sound like ifpw processes the entire ruleset for every
packet, regardless of when a match occurs.
So, which is it? Is ipfw a first-match-wins and rule processing ends
setup? Or does it check every single rule for every single packet?
--
Freddie Cash
fjwcash@gmail.com
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?b269bc570906041523v2076ec83y90a9b8474199f457>