Thanks. That makes sense. -- Adonis
On Wed, Mar 26, 2025, at 9:34 PM, Kenneth Gober wrote: > On Wed, Mar 26, 2025 at 3:33 PM <[email protected]> wrote: >> __ >> So the "Proper use of self" post made me ponder about the proper use of >> "quick". My ruleset consists of a lot of "quick" rules (more than 90%) >> because in my mind its faster to stop evaluating any further rules if it >> isn't needed. But it feels weird that every rule I write now always has >> "quick" and it's making me wonder if that's wrong because nearly all other >> pf ruleset's I see don't use "quick" so much. Is heavy use of "quick" bad >> / be avoided or am I just writing my rules wrong? I am actually curious >> myself how nearly all my rules devolved into being "quick". > > I think it's just a question of what makes more sense to you. It's important > to match the structure > of your ruleset to the way you naturally think about packet filtering, > because the goal is to have > a clear ruleset that is easily understood and reasoned about. A ruleset > that's hard to understand > is a ruleset that's hard to trust because you can't be certain it's correct. > > > For some people, they think of their rules as general rules followed by > exceptions and special > cases. They want 'last match' semantics. They wouldn't use "quick" because > they want a later > rule to be able to override an earlier one. > > For others (myself included) it makes more sense to think of the ruleset as a > filter through which > packets flow, with rules diverting packets for processing as they pass by. As > you go down the > list fewer and fewer packets remain to be evaluated, and the remaining rules > apply only to the > packets that weren't processed by any earlier rules. If you think about your > rules in this way, > (i.e. 'first match' semantics) then "quick" makes sense for you. > > -ken
