Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Floating rule, "match" action, tagging - is "quick" necessary?

    Scheduled Pinned Locked Moved Firewalling
    4 Posts 2 Posters 684 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • timtraceT
      timtrace
      last edited by

      Greetings - I want to use a floating rule with a "match" action to tag specific packets for filtering. Is "quick" necessary for the packets to be tagged before they get looked at by any other rules?

      The official docs say ...

      Match Action
The match action is unique to floating rules. A rule with the match action will not pass or block a packet, but only match it to assign traffic to queues or limiters for traffic shaping. Match rules do not work with Quick enabled.
https://docs.netgate.com/pfsense/en/latest/firewall/floating-rules.html

      .. and that last sentence, while crystal-clear, confuses me in this situation. Wouldn't you want a floating "match" action rule to tag a packet before anything else gets a peek at it?

      M 1 Reply Last reply Reply Quote 0
      • M
        mer @timtrace
        last edited by

        @timtrace The way I read it, you do not want to have a quick on match rules.

        Quick: as a keyword, means "don't process anymore rules", so everything else is skipped. Which is why you don't want "quick" on "match".

        If I'm wrong, I'm sure someone will say so :)

        timtraceT 1 Reply Last reply Reply Quote 1
        • timtraceT
          timtrace @mer
          last edited by

          @mer Thanks - you led me to review something else. I had two things wrong 1> the order in which rules are processed, and 2> how "quick" rules fit into that order.

          https://docs.netgate.com/pfsense/en/latest/firewall/rule-methodology.html

          Rules are processed in this order: floating, IF group, IF. Quick exists only on floating rules, and has a "stop after processing this rule" effect. Do I have it right this time?

          I get it. You'd want a "match" action to not stop after processing its rule because you'll take other actions on that packet based on the outcome of the match.

          Thanks for the nudge.

          M 1 Reply Last reply Reply Quote 0
          • M
            mer @timtrace
            last edited by

            @timtrace Yep that matches my understanding.
            The floating rules are basically "raw" you need to be able to specify anything you need. In/Out, interface, everything, so Quick only exists in the GUI to allow you to specify it.

            If you look at the rules as they exist on the device (I go do Diagnostics, Command Prompt and then enter "prctl -sr" (that dumps the rules as they wind up after optimization and processing.

            Doing this you'll notice that all your user defined rules on an interface have the quick keyword automagically added. That keeps order consistent with the GUI so a user "rules are processed top down, first match wins". Without "quick" all rules are processed top down LAST match wins.

            Think of Reverse Polish Notation on the old HP calculators :)

            1 Reply Last reply Reply Quote 1
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.