Correction #9685
closed
Processing order of ``match`` action for Floating Rules is ambiguous
0%
Description
Page: https://docs.netgate.com/pfsense/en/latest/firewall/floating-rules.html
Feedback:
Nice page however MATCH rule processing order is not described.
Without Quick checked, the rule will only take effect if no other rules match the traffic.
This implies that without QUICK flag a rule is evaulated after Floating, Interface group, Interface rules, basically at the end of the whole ruleset.
1. Floating rules (Quick)
2. Interface group rules
3. Interface rules
4. Floating rules (NON Quick)
It is clear so far however
Match rules do not work with Quick enabled.
Which means a MATCH rule is never quick, and according the statement above says "Without Quick checked, the rule will only take effect if no other rules match the traffic", therefore processed at the end of the whole ruleset.
I don't think this is the reality otherwise there would be cases when MATCH rule would never be evaluated. Could you please explain in the document the processing order of a (non quick) MATCH rule?
Thank you!
Updated by David G over 5 years ago
I have to correct myself.
Processing order remains the same regardless Quick or non Quick
1. Floating rules (Quick + NON Quick)
2. Interface group rules
3. Interface rules
But quick reverses the behavior of “first match wins” to be “last match wins”.
Therefore I can simplify my request:
Could you please describe in the book if “last match wins” is Applicable OR Not Applicable to MATCH rules (which are not quick)?
Thank you!
Updated by David G over 5 years ago
To furhter simlpify (and if my understaning is correct) can be said that: MATCH rule applies immediately, it doesn't stop the rule processing, therefore the evaluation continues till the end of the ruleset.
Updated by Jim Pingle almost 3 years ago
- Subject changed from Feedback on Firewall — Floating Rules to Processing order of ``match`` action for Floating Rules is ambiguous
Updated by Chris W almost 3 years ago
- Status changed from New to Closed
Hello,
Apologies for just getting you a response here, but I've been going through backlog and wanted to add some clarification if still necessary. Your further simplification is correct: Match rules apply at the time they're processed in the ruleset, and processing will continue in the "last match wins" flow. Since Match rules can't be used with Quick, they cannot stop rule processing as would, for example, block in quick on $WAN inet .