Hi,
I was reviewing my firewall rules and got confused about priority rules. I
wasn't certain was it better to have higher priority number for a rule or
lower. After some digging it seems that the higher priority numbers get
processed first. I think the pf.conf(5) man page should document this so others
shouldn't have to dig for this info from PF FAQ. I don't
While I looked for the priority info I noticed the queuing section has wrong
priorities listed in the example rule.
Here's a small patch to fix both.
Timo
Index: man5/pf.conf.5
===================================================================
RCS file: /cvs/src/share/man/man5/pf.conf.5,v
retrieving revision 1.530
diff -u -u -p -r1.530 pf.conf.5
--- man5/pf.conf.5 12 Oct 2013 21:44:57 -0000 1.530
+++ man5/pf.conf.5 27 Oct 2013 06:32:23 -0000
@@ -646,6 +646,8 @@ code point in the 802.1Q VLAN header.
If two priorities are given, packets which have a TOS of
.Ar lowdelay
and TCP ACKs with no data payload will be assigned to the second one.
+Packets with higher priority number are processed first and packets with
+the same priority are processed in a round-robin fashion.
.Pp
For example:
.Bd -literal -offset indent
@@ -1551,7 +1553,7 @@ pass out on em0 inet proto tcp from $dev
pass out on em0 inet proto tcp from $employeehosts to any port 80 \e
set queue employees
pass out on em0 inet proto tcp from any to any port 22 \e
- set (queue(ssh_bulk, ssh_interactive), prio (6, 3))
+ set (queue(ssh_bulk, ssh_interactive), prio (3, 6))
pass out on em0 inet proto tcp from any to any port 25 \e
set queue mail
.Ed
