--On 01 October 2005 08:50 -0500, Travis H. wrote:
huh? "Before any rules are evaluated, the filter checks whether the
packet matches any state. If it does, the packet is passed without
evaluation of any rules." - pf.conf(5)
Yeah, I neglected stateful matching. I should have said that every
packet that has to run the gauntlet of rules, has to run all of them.
Subsequent reading of the PF FAQ confirms that there's no deep
evaluation-reordering magic going on, that quick rules really are
faster.
See pfctl(8) -o option for details about the magic.
