• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Floating rule, "match" action, tagging - is "quick" necessary?

Scheduled Pinned Locked Moved Firewalling
4 Posts 2 Posters 698 Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • T
    timtrace
    last edited by Oct 29, 2021, 3:14 PM

    Greetings - I want to use a floating rule with a "match" action to tag specific packets for filtering. Is "quick" necessary for the packets to be tagged before they get looked at by any other rules?

    The official docs say ...

    Match Action
    The match action is unique to floating rules. A rule with the match action will not pass or block a packet, but only match it to assign traffic to queues or limiters for traffic shaping. Match rules do not work with Quick enabled.
    https://docs.netgate.com/pfsense/en/latest/firewall/floating-rules.html
    

    .. and that last sentence, while crystal-clear, confuses me in this situation. Wouldn't you want a floating "match" action rule to tag a packet before anything else gets a peek at it?

    M 1 Reply Last reply Oct 29, 2021, 6:18 PM Reply Quote 0
    • M
      mer @timtrace
      last edited by Oct 29, 2021, 6:18 PM

      @timtrace The way I read it, you do not want to have a quick on match rules.

      Quick: as a keyword, means "don't process anymore rules", so everything else is skipped. Which is why you don't want "quick" on "match".

      If I'm wrong, I'm sure someone will say so :)

      T 1 Reply Last reply Oct 29, 2021, 6:35 PM Reply Quote 1
      • T
        timtrace @mer
        last edited by Oct 29, 2021, 6:35 PM

        @mer Thanks - you led me to review something else. I had two things wrong 1> the order in which rules are processed, and 2> how "quick" rules fit into that order.

        https://docs.netgate.com/pfsense/en/latest/firewall/rule-methodology.html

        Rules are processed in this order: floating, IF group, IF. Quick exists only on floating rules, and has a "stop after processing this rule" effect. Do I have it right this time?

        I get it. You'd want a "match" action to not stop after processing its rule because you'll take other actions on that packet based on the outcome of the match.

        Thanks for the nudge.

        M 1 Reply Last reply Oct 29, 2021, 6:46 PM Reply Quote 0
        • M
          mer @timtrace
          last edited by Oct 29, 2021, 6:46 PM

          @timtrace Yep that matches my understanding.
          The floating rules are basically "raw" you need to be able to specify anything you need. In/Out, interface, everything, so Quick only exists in the GUI to allow you to specify it.

          If you look at the rules as they exist on the device (I go do Diagnostics, Command Prompt and then enter "prctl -sr" (that dumps the rules as they wind up after optimization and processing.

          Doing this you'll notice that all your user defined rules on an interface have the quick keyword automagically added. That keeps order consistent with the GUI so a user "rules are processed top down, first match wins". Without "quick" all rules are processed top down LAST match wins.

          Think of Reverse Polish Notation on the old HP calculators :)

          1 Reply Last reply Reply Quote 1
          4 out of 4
          • First post
            4/4
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
            This community forum collects and processes your personal information.
            consent.not_received