pf match action 始终不明白match起什么作用。?

OpenBSD的安装、升级、更新等日常问题。

版主: chenjun天地乾坤

回复
openbsdsir008
铁 Fe
帖子: 80
注册时间: 2014-03-20 16:19

pf match action 始终不明白match起什么作用。?

帖子 openbsdsir008 » 2014-07-08 11:42

match
the packet is matched. this mechanism is used to provide fine grained filtering without altering the block/pass state of a packet.
match rules differ from block and pass rules in that parameters are set every time a packet matches the rule, not only on the last matching rule. for the following parameters ,this mean that the parameter effectively become 'sticky' until explicitly overridden: nat-to, binat-to, rdr-to, queue, rtable, and scrub.
log is different still, in that the action happens every time a rule matches i.e. a single packet can get logged more than once.


block和pass 很好理解,就是阻止包和允许包通过。
match很难懂?

头像
toor
钾 K
帖子: 17
注册时间: 2013-03-08 14:03

Re: pf match action 始终不明白match起什么作用。?

帖子 toor » 2014-07-12 16:43

match
When a packet traverses the ruleset and matches a match rule, any optional parameters specified in that rule are remembered for future use (made "sticky").
我的理解是,match就像编程语言里面的“if”,只对满足特定条件的数据包采取指定的操作。
另外一点就是,当你对数据包要采取的动作既不是“pass”,也不是“block”,而是其他动作(如nat-to),这时候就要先用match来指定此类数据包的条件。

回复

在线用户

正浏览此版面之用户: 没有注册用户 和 0 访客