Re: ipf group/head (and quick)

To: tech-net%netbsd.org@localhost
Subject: Re: ipf group/head (and quick)
From: Edgar Fuß <ef%math.uni-bonn.de@localhost>
Date: Thu, 9 Jun 2016 18:49:24 +0200

In the meantime, I managed to answer some of my question myself.

First, it looks that "head" indeed is sort of a subroutine call (to the 
corresponding group's rules) and not a branch. The question remains whether 
these calls can be nested.

EF> What if a rule belonging to a non-default group has a "quick" attribute? 
EF> Will this stop processing of the group or the whole ruleset?
I now guess it will stop the whole ruleset, i.e., it's "exit" rather that 
"return".

EF> Then, there's a sentence about "quick" on "head" rules I don't understand: 
EF> "If quick is used with a head rule, rule processing isn't stopped until it 
EF> has returned from processing the group". How could it stop otherwise? What 
EF> exactly does "return" mean?
This probably essentially means "quick with a head rule is no-nonsense". 
I think it should be
1) re-phrased more like "if a packet matches a head rule, the corresponding 
group's rules will be processed even if the head rule has a "quick" clause"
and
2) it should be made clear that the "quick" from the head rule is tentative 
only, i.e. "if the packet matches a non-"quick" rule in the group, this will 
cancel the head rule's "quick" clause, causing processing to continue (after 
finishing the group) with the rules following the head rule".

Follow-Ups:
- Re: ipf group/head (and quick)
  - From: Manuel Bouyer

References:
- ipf group/head (and quick)
  - From: Edgar Fuß

Prev by Date: dhcpcd and routing of ipv6 prefixes
Next by Date: Re: ipf.conf vs. ipf6.conf
Previous by Thread: ipf group/head (and quick)
Next by Thread: Re: ipf group/head (and quick)
Indexes:

Home | Main Index | Thread Index | Old Index