On Nov 1, 2009, at 3:08 PM, Ted Unangst wrote:
The optimizer is documented in both the pfctl and pf.conf man pages, and the one for pf.conf tells you exactly what it does.
In pfctl's man page (4.6), there is a statement that the kernel sometimes skips rules -- no mention of the optimizer playing any part in it.
The string "skip" appears three times in pf.conf's man page. Twice in relation to the "skip on <interface>" rule and once describing the effect of the "quick" keyword.
It does say that ruleset-optimization can "improve performance" and may reorder the rules, but it's pretty light on just what that might mean: nothing about examining rules to be able to skip evaluating some. Nor is there anything about the hierarchy of fields it uses to examine them. All this *is* explained at undead. A little cut&paste is in order here, IMHO.
I still claim this is a major 'undocumented feature' of pf. And that if this functionality had been implemented anywhere else, there'd be a lot of noise about it. I've spent years working on iptables and Cisco filters, hand optimizing them to get just part what pf gives me for next to free.
The earlier poster (Jason) is right: this *is* the way a firewall should work -- spend your time on implementing the security policy and let the 'compiler' worry about efficiency. But since the others don't, it might be a good idea to go into this at some length.
-- Glenn English g...@slsware.com
