[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Group and Head in ipfilter

To: misc@openbsd.org
Subject: Re: Group and Head in ipfilter
From: Matt Sauve-Frankel <baud@philosophiebleue.com>
Date: Sat, 1 Sep 2001 17:56:17 -0400
Content-Disposition: inline
References: <E15c2Lt-00015F-00@stella.conradwood.net>
User-Agent: Mutt/1.2.5i

On Wed, Aug 29, 2001 at 11:13:41AM +0100, openbsd@conradwood.net wrote:
> it is really simple actually:
> 
> block in .... head 30
> means that if the rule matches it continues with group 30.
> you put rules into group 30 like this:
> block in .... group 30
> block in .... group 30
> ...
> you can mix it like this;
> block in .... group 30 head 40
> (means that whilst processing group 30 rules it may start processing group 40)
> 
> the normal \"quick\" conditions apply.

Actually, there is a small distinction with the quick keyword when used in 
conjunction with the head keyword.

example rule:

block in quick on dc0 all head 30

this will match any incoming packet on interface dc0 and proceed 
to try and match the packet against any rule in group 30.
if the packet fails to match any other rule the packet will be dropped.

you can use this to split your rules into "trees" of rules 
and minimize the amount of matching rules per packet.

-- 
Matt Sauve-Frankel		||Philosophie Bleue http://philosophiebleue.com
Network Administrator		||		    http://philosophyblue.com

Prev by Date: atapi/eide hard driver error message
Next by Date: Re: wicontrol
Prev by thread: Re: atapi/eide hard driver error message
Next by thread: IPSec-ID ?ns
Index(es):
- Date
- Thread