More pf parser fun & user error & unexpected results 'match quick'

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

More pf parser fun & user error & unexpected results 'match quick'

S. Donaldson
Ohh,

        I cleanup a ruleset and added some quicks to sets of 'pass in on interal', match with nat-to, pass out on external' rules.

        I managed to put a quick directive behind a match (ie match quick ...) and that is a VERY BAD thing to do.

        The definition of the quick directive from the man page of pf.conf:

> If a packet matches a rule which has the quick option set, this rule is considered the last matching rule, and evaluation of subsequent rules is skipped.

        And from the match directive:

> match
> The packet is matched. This mechanism is used to provide fine grained filtering without altering the block/pass state of a packet. ...

Thus if one applies 'quick' to a match rule one could end up consigning packets to 'packet purgatory' ? Which is what I did.

Is 'match quick' ever valid?


Scott Donaldson

Saskatoon, SK
Canada

Reply | Threaded
Open this post in threaded view
|

Re: More pf parser fun & user error & unexpected results 'match quick'

Kenneth Gober
On Thu, Feb 1, 2018 at 2:53 PM, S. Donaldson <[hidden email]> wrote:
> Thus if one applies 'quick' to a match rule one could end up consigning packets to 'packet purgatory' ? Which is what I did.
>
> Is 'match quick' ever valid?

It could be.  For example:

pass out on $if inet proto tcp from any to $if:network port 22

# this device needs unaltered packets but has full routing info to send replies
match out quick on $if to 1.2.3.4 tag NoNat

# but most devices have no route tables, or default routes point
elsewhere, so use NAT to ensure we get replies
match out on $if to $if:network nat-to $if

In this example you use match out quick to prevent evaluation of the
next match out (which will NAT your packet, which in this example you
want for most hosts but not this particular one).  It's a contrived
example but it could happen.

-ken