> huh? "Before any rules are evaluated, the filter checks whether the > packet matches any state. If it does, the packet is passed without > evaluation of any rules." - pf.conf(5)
Yeah, I neglected stateful matching. I should have said that every packet that has to run the gauntlet of rules, has to run all of them. Subsequent reading of the PF FAQ confirms that there's no deep evaluation-reordering magic going on, that quick rules really are faster. -- http://www.lightconsulting.com/~travis/ -><- GPG fingerprint: 50A1 15C5 A9DE 23B9 ED98 C93E 38E9 204A 94C2 641B
