pf match action 始终不明白match起什么作用。？

[openbsdsir008]

match
the packet is matched. this mechanism is used to provide fine grained filtering without altering the block/pass state of a packet.
match rules differ from block and pass rules in that parameters are set every time a packet matches the rule, not only on the last matching rule. for the following parameters ,this mean that the parameter effectively become 'sticky' until explicitly overridden: nat-to, binat-to, rdr-to, queue, rtable, and scrub.
log is different still, in that the action happens every time a rule matches i.e. a single packet can get logged more than once.


block和pass 很好理解，就是阻止包和允许包通过。
match很难懂？

[toor]

match
When a packet traverses the ruleset and matches a match rule, any optional parameters specified in that rule are remembered for future use (made "sticky").

我的理解是，match就像编程语言里面的“if”，只对满足特定条件的数据包采取指定的操作。
另外一点就是，当你对数据包要采取的动作既不是“pass”，也不是“block”，而是其他动作（如nat-to），这时候就要先用match来指定此类数据包的条件。