[prev in list] [next in list] [prev in thread] [next in thread] 

List:       openbsd-pf
Subject:    Re: More pf parser fun & user error & unexpected results 'match quick'
From:       Kenneth Gober <kgober () gmail ! com>
Date:       2018-02-02 20:37:42
Message-ID: CANHrbpfAakyKw--ZzTZQQiKF4=s_u0qe=e7NkrB4=Yqdq_g2Uw () mail ! gmail ! com
[Download RAW message or body]

On Thu, Feb 1, 2018 at 2:53 PM, S. Donaldson <donaldson@sedsystems.ca> wrote:
> Thus if one applies 'quick' to a match rule one could end up consigning packets to \
> 'packet purgatory' ? Which is what I did. 
> Is 'match quick' ever valid?

It could be.  For example:

pass out on $if inet proto tcp from any to $if:network port 22

# this device needs unaltered packets but has full routing info to send replies
match out quick on $if to 1.2.3.4 tag NoNat

# but most devices have no route tables, or default routes point
elsewhere, so use NAT to ensure we get replies
match out on $if to $if:network nat-to $if

In this example you use match out quick to prevent evaluation of the
next match out (which will NAT your packet, which in this example you
want for most hosts but not this particular one).  It's a contrived
example but it could happen.

-ken


[prev in list] [next in list] [prev in thread] [next in thread]