Vijay Sankar escreveu: > On February 21, 2008 05:19:54 am Guido Tschakert wrote: >> Hi, >> >> I wonder why pf works from top to bottom in filtering with last matching >> rule wins but in adress translation from top to bottom with first >> matching rule wins. >> >> Sure, I can use "quick" on every rule in filtering to have "first >> matching rule wins". >> >> Me thinks it would be better if both filtering and adress translation >> works the same (like first rule wins), but I think there are reasons to >> do it the pf way, but I don't see them. >> Any enlightment for me? >> >> thanks guido > > To me (from a layman's perspective), it seems like first match wins is more > logical for NAT and last match wins seems more correct for filtering. While > writing NAT rules I have not had a situation where one NAT rule negates the > previous rules. Whereas with filtering rules, you could conceivably have that > issue. Also, since you have to use a filter to allow NAT (assuming you are > not using rdr pass) to me, the current approach makes reading a pf.conf file > easier. Anyways. FWIW, that is what I thought was the reasoning behind this > approach. > >From the performance of the openbsd.org PF Faq:
# Complexity and design of your rule set. The more complex your rule set, the slower it is. The more packets that are filtered by keep state and quick rules, the better the performance. The more lines that have to be evaluated for each packet, the lower the performance. I do use quick for all of my rule set. I come from Linux iptables, and for me it was hard to change my way of thinking. I couldn't change it entirely, and do use quick every time. I do this also because more people, which also come from the iptables, do also mantain the rule sets. Does anyone know of a tutorial or howto that focus on this difference of "first match wins" vs. "last match wins". I would happyly start using the latter for writing my rule sets. This is a very interesting discussion, as the pf faq recommends using quick for better performance. My 2 cents, -- Giancarlo Razzolini Linux User 172199 Red Hat Certified Engineer no:804006389722501 Moleque Sem Conteudo Numero #002 Slackware Current OpenBSD Stable Ubuntu 7.04 Feisty Fawn Snike Tecnologia em Informatica 4386 2A6F FFD4 4D5F 5842 6EA0 7ABE BBAB 9C0E 6B85 [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
