On 1 November 2009 c. 00:00:41 ghe wrote:
> I'm fresh off the boat from Debian. I love OpenBSD's attitude, and the
> documentation is even pretty decipherable, but I'm still a little
> confused by pf. I managed to build a trivial filter, but there are a
> few things I don't understand.
>
> I read somewhere (3 books, google, the website docs, and man) that a
> longer rule takes longer to do its work. Why? I don't understand how
> pf works -- I'd expect pfctl, while it's munging pf.conf, to make most
> of the conditions into a big mask that could just && with the IP
> header and make a decision on the result. So specifying the proto and
> both addresses and flags shouldn't make much difference in efficiency.
> No?
Not mask, it's a number of "if" checks to be done. But you should not
bother, it's fast enough, comparing to other things pf and network stack
do.
> pf.conf consists largely of anchors (to fork on protocol) and sub-
> anchors below them to fork on service -- I'm trying to reduce the
> count of rules seen by a packet to a minimum. But
> pfctl -vs Anchors
Bad idea. pf is not iptables. Read FAQ for examples, and start from
scratch using tricks from those examples, not from iptables. Sorry, I
wouldn't comment the next part of your message because you're moving in
the wrong direction anyway.
> Why does pfctl say there's a TCP_IN/TCP_IN?
Because you defined it, no? :)
> Do there have to be "/*"s after all the anchor names?
No, you need it just to evaluate subanchors of your anchor.
> Is it true that sub-anchors are 'evaluated' in alphabetical order as
> opposed to the order in the file? If so, is there a reason for this?
No.
> And is there a way to get rid of an anchor without rebooting? When I
> change spellings,
> pfctl -s Anchors
> shows the old ones still in there.
Yes, use "pfctl -f" or "pfctl -a anchorname -f" depending on what you
actually want to do.
--
Best wishes,
Vadim Zhukov
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
A: Top-posting.
Q: What is the most annoying thing in e-mail?
