Re: Rationale for BSD (I)PF rule order?

[David Pick <d.m.pick () qmul ac uk>]

> Is it not better to have a ruleset firing on closest fit?. Decide on which
> rule to apply based on a nesting of address space (single hosts with subnets
> within domains within interfaces, exact ports within port ranges etc.) and
> match on protocol (UDP versus ICMP versus TCP etc.) Rules are made of tuples
> similar to sockets, except that there are other possible dimensions added
> (protocol, authenticated, un-authenticated, source interface, destination
> interface, time of day, phase of moon etc.). Order of rule firing based on
> textual order is always going to create problems.
> If the firewall can generate this tree implied by nesting, then rul elookup
> will be faster as well, since the maximum lookup is log(nesting factor) and
> it can still be done with hash table lookup.

It certainly *can* do so if it wants! Perhaps using a radix-tree in the
same sort of way (most) UINIX kernels do at the moment for storing the
routing tables where most-specific matches are already used. *However*
there will be an "interesting" problem deciding between (for example)
a specific-address general-port rule and a general-address specific-port
rule; so there needs to be a "tie-break" mechanism (rule!)

-- 
        David Pick

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards