ipf group/head (and quick)

To: tech-net%netbsd.org@localhost
Subject: ipf group/head (and quick)
From: Edgar Fuß <ef%math.uni-bonn.de@localhost>
Date: Tue, 7 Jun 2016 20:17:31 +0200

I'm once again confused about the exact semantics of ipf groups, especially 
in conjunction with "quick".

Generally, my impression is that rules in ipf.conf (or elsewhere) are, in 
turn, added to per-group lists depending on the "group" part of the rule (0 
as a default); then, after parsing, we have as many lists as we have groups 
and every packet starts to be matched against the rules on list 0, until it 
matches a "head n" rule, after which it starts to be matched against all the 
rules on list n, no matter where they appear in ipf.conf. Is that correct?
So, if, in ipf.conf, rule #3 is "head 100", #2 and #5 are "group 100" and 
#1, #4 #6 are default, and no rule is "quick", a packet matching the critera 
of #3 would be matched against #1, then #3, then #2 and #5, right? Would it 
also be matched against #4 or #6 afterwards?
What if a rule belonging to a non-default group has a "quick" attribute? 
Will this stop processing of the group or the whole ruleset?
Then, there's a sentence about "quick" on "head" rules I don't understand: 
"If quick is used with a head rule, rule processing isn't stopped until it 
has returned from processing the group". How could it stop otherwise? What 
exactly does "return" mean?

Can someone please enlighten me?

Follow-Ups:
- Re: ipf group/head (and quick)
  - From: Edgar Fuß

Prev by Date: Re: MP-safe ifnet with psz & psref
Next by Date: ipf.conf vs. ipf6.conf
Previous by Thread: bridge(4) and wm(4) with NET_MPSAFE is MP-scalable for now
Next by Thread: Re: ipf group/head (and quick)
Indexes:

Home | Main Index | Thread Index | Old Index