Re: NPF and PF

To: tech-net%NetBSD.org@localhost
Subject: Re: NPF and PF
From: Mouse <mouse%Rodents-Montreal.ORG@localhost>
Date: Thu, 17 Dec 2020 11:23:39 -0500 (EST)

> first filter input packets based on source address
> (default: block all).
> Then, if not blocked above, filter based on destination address
> (default: block all too)

How important is it that the filters be applied in this order?  I'm
having trouble imagining any difference, other than performance,
between the above and the same thing with the filters in the other
order, or even filtering on <src,dst> pairs (though of course this last
leads to a combinatorial issue if both lists are non-tiny).

> The problem is really to have a packet go through several rulesets,
> where a ruleset could decide to block the packet, or let it pass to
> the next one.

How does this differ - or, rather, what difference is relevant - from
a setup where you simply have a list of rules which are tried in order?
Why is it important to group them into rulesets?  (I can certainly
imagine possible reasons; I'm wondering what your actual reasons are.)

/~\ The ASCII				  Mouse
\ / Ribbon Campaign
 X  Against HTML		mouse%rodents-montreal.org@localhost
/ \ Email!	     7D C8 61 52 5D E7 2D 39  4E F1 31 3E E8 B3 27 4B

Follow-Ups:
- Re: NPF and PF
  - From: Manuel Bouyer

References:
- Re: NPF and PF
  - From: Manuel Bouyer
- Re: NPF and PF
  - From: Robert Swindells
- Re: NPF and PF
  - From: Manuel Bouyer

Prev by Date: Re: NPF and PF
Next by Date: Re: NPF and PF
Previous by Thread: Re: NPF and PF
Next by Thread: Re: NPF and PF
Indexes:

Home | Main Index | Thread Index | Old Index