From owner-freebsd-questions@FreeBSD.ORG  Tue Dec 16 06:03:20 2014
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id 7CE88279
 for <freebsd-questions@freebsd.org>; Tue, 16 Dec 2014 06:03:20 +0000 (UTC)
Received: from mail-lb0-x22d.google.com (mail-lb0-x22d.google.com
 [IPv6:2a00:1450:4010:c04::22d])
 (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits))
 (Client CN "smtp.gmail.com",
 Issuer "Google Internet Authority G2" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id EFFA6A88
 for <freebsd-questions@freebsd.org>; Tue, 16 Dec 2014 06:03:19 +0000 (UTC)
Received: by mail-lb0-f173.google.com with SMTP id z12so10383293lbi.18
 for <freebsd-questions@freebsd.org>; Mon, 15 Dec 2014 22:03:18 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;
 h=mime-version:in-reply-to:references:date:message-id:subject:from:to
 :content-type; bh=DdI7FcX4kxTjnOEkNlIkcH06us9nipV/YT6K9me3MQg=;
 b=Oa1CkD3PZzTEmclovxBo7mEni3U551ThCDASfCKi9AFfqq55x2fyBcRMqbbIYQeuLR
 il1ZF9THoW0q+wtzggGRQE0NibbkjeXRw+IE3olz6GRdqT2IErY7PvP9HU8sEvG9Zj3l
 +R9BTx2K7WHud+GYT9oo12MXFlpkH4TorNjkNpuBO0tTwQ8P4sLJpr/5ErMnBGZVO8n7
 0oCQ9WaA+GO34HbOju97SVeAmjdL42ZfYcjziEaZcC4X1ruNBpXNsEy4l4Hzut7XO9/p
 Yf4futhxiNQ9O4zdTkeP6mvhhoy9NUWBq7Ieo0Nr3hxTNXSNu0ToavKcWGoI/NT2vNHF
 b6Tg==
MIME-Version: 1.0
X-Received: by 10.112.162.226 with SMTP id yd2mr871623lbb.1.1418709797902;
 Mon, 15 Dec 2014 22:03:17 -0800 (PST)
Received: by 10.112.161.135 with HTTP; Mon, 15 Dec 2014 22:03:17 -0800 (PST)
In-Reply-To: <548F7869.2040705@dreamchaser.org>
References: <CAA_1SgF1Fa4wV0uRpOWqD1k2zUqtugbNhnDF+h-HCoAn7fjsAw@mail.gmail.com>
 <548F7869.2040705@dreamchaser.org>
Date: Tue, 16 Dec 2014 09:33:17 +0330
Message-ID: <CAA_1SgE1WGnAhok15Bb2QY5ipBRZeWvhaXK-byMAGFhBSq63pQ@mail.gmail.com>
Subject: Re: can ipfw check all permit rules without search termination?
From: s m <sam.gh1986@gmail.com>
To: freebsd-questions <freebsd-questions@freebsd.org>,
 Gary Aitken <freebsd@dreamchaser.org>, 
 "from: Lowell Gilbert" <freebsd-questions-local@be-well.ilk.org>
Content-Type: text/plain; charset=UTF-8
X-Content-Filtered-By: Mailman/MimeDel 2.1.18-1
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.18-1
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions/>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 16 Dec 2014 06:03:20 -0000

hello guys,

thanks for your answers. you know, i have different services and each one
writes ipfw rules in different times. i want to aggregated all rules. i
mean if two rules which are written by two different services, have overlap
(for example rule number 222 permit packets with 192.168.5.5 src address
while rule number 225 permit packets with 192.168.5.5 src address and set
next-hop 192.168.10.2 for them), the rule which is more specified, match.
in my example, i want to rule number 222 match for packets.
in the other words, ipfw uses "first match win" search method. can i change
this method???