From owner-freebsd-ipfw@FreeBSD.ORG Fri Jun 5 05:33:27 2009 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 49E77106566C for ; Fri, 5 Jun 2009 05:33:27 +0000 (UTC) (envelope-from julian@elischer.org) Received: from outN.internet-mail-service.net (outn.internet-mail-service.net [216.240.47.237]) by mx1.freebsd.org (Postfix) with ESMTP id 2DEA28FC1C for ; Fri, 5 Jun 2009 05:33:27 +0000 (UTC) (envelope-from julian@elischer.org) Received: from idiom.com (mx0.idiom.com [216.240.32.160]) by out.internet-mail-service.net (Postfix) with ESMTP id E477D322D9; Thu, 4 Jun 2009 22:33:26 -0700 (PDT) X-Client-Authorized: MaGic Cook1e X-Client-Authorized: MaGic Cook1e Received: from julian-mac.elischer.org (home.elischer.org [216.240.48.38]) by idiom.com (Postfix) with ESMTP id A0CC52D600D; Thu, 4 Jun 2009 22:33:26 -0700 (PDT) Message-ID: <4A28AE26.6010805@elischer.org> Date: Thu, 04 Jun 2009 22:33:26 -0700 From: Julian Elischer User-Agent: Thunderbird 2.0.0.21 (Macintosh/20090302) MIME-Version: 1.0 To: Freddie Cash References: In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-ipfw@freebsd.org Subject: Re: Rules processing in ipfw: processing ends with rule 65535 or first match? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 05 Jun 2009 05:33:27 -0000 Freddie Cash wrote: > Over the years, various how-tos and docs that I've read comparing ipfw > to ipf and pf have categorised them as such: > > - ipf/pf compares the packet against every rule in the ruleset, and > the last matching action is used once the end of the ruleset is > reached (last-match-wins) > > - ipfw compares the packet against the rules, and stops processing > the rulesset once a rule matches (first-match-wins) > > And, if one wants to get the ipfw behaviour in ipf/pf, they can use > the "quick" keyword, which stops processing of the ruleset as soon as > one of those rules matches. > > IOW, for a ruleset with 1000 rules, ipf/pf will scan every single rule > for every single packet; and ipfw will only scan the ruleset up to the > first matching rule. In theory, the ipfw method would be a lot > faster, and less intensive. > > However, reading through the man page for ipfw(8) on FreeBSD 7.2, it > lists the following (Description section): > The packet passed to the firewall is compared against each > of the rules in the firewall ruleset. When a match is found, the action > corresponding to the matching rule is performed. the packet is compared against each rule it encounters however it might not encounter a rule by 3 means: 1/ it matches a rule before the rule in question and stops processing 2/ it bypasses the rule in question due to matching a rule with a skipto action. 3/ it matches a check-state rule and effectively shortcuts to the exact rule that is needed for that session, skipping all intermediate rles. > > And, later, in the Packet Flow section: > Also note that each packet is always checked against the complete rule- > set, irrespective of the place where the check occurs, or the source of > the packet. > > These make it sound like ifpw processes the entire ruleset for every > packet, regardless of when a match occurs. > > So, which is it? Is ipfw a first-match-wins and rule processing ends > setup? Or does it check every single rule for every single packet? >