On Thu, Feb 06, 2020 at 02:34:51PM -0600, Michael Glasgow wrote: > I was accustomed to first-match from previous solutions, so I just > carried over that practice to pf without thinking too much about it. > Recently I'd begun to wonder if there was perhaps some actual reason > that pf was designed to be last-match by default, and it made me > wonder if there was some perspective I'd never considered. It's
Last match wins was inherited from IPF (which, it was once jokingly suggested by Henning, "was designed by an Australian, so everything was upside down"). Basically, in the rush to implement a reasonably-licensed replacement it was decided that it was important to not break existing setups too horribly. Since then of course we have seen some major shakeupis in syntax such as the NAT rewrite and the ALTQ to new queues reimplementation. But going to first match would still be a very fundamental change of how configurations work, so it's unlikely to happen. > But perhaps last-match is only a "default" for some reason relating > to syntax, and it wasn't necessarily intended to imply a preference > for how rules are written? It's historical reasons, really. To quick or not is really up to whoever is tasked with maintaining the configuration. As long as you stay in control of the logic, either way is fine in my book. All the best, Peter -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
