On Wed, Feb 16, 2005 at 11:02:09PM +0100, Manon Goo wrote:

> >The kernel will evaluate the criteria in a fixed order, in general the
> >cheap ones come first.
>
> Does this mean for a rule having expensive conditions (user = xx ) and
> cheap conditions (
> to = xx ) the rule stays cheap unless the cheap conditions are true ?

Yes, the evaluation does 'short-circuit'. If the evaluation of a cheap
criterion is false (meaning that the rule, as a whole, cannot possibly
match), the remaining criteria are not evaluated at all.

There's more optimizations like this. For instance, if the rule contains
a (cheap) source address restriction which is found to mismatch, and
subsequent rules (immediately following the current rule) also contain
the same source address restriction, those subsequent rules are skipped
entirely.

You can probably find a more detailed explanation when you google for
'pf skip steps'.

Daniel