IPFW Ordering of ipfw rules and sets

[japoc]

Hi,

this is a question about the ordering of ipfw rules.
As stated in the documentation ( https://www.freebsd.org/doc/handbook/firewalls-ipfw.html ), the ipfw command syntax is:

CMD RULE_NUMBER set SET_NUMBER ACTION log LOG_AMOUNT PROTO from SRC SRC_PORT to DST DST_PORT OPTIONS

Does the ordering of rules depends only on the RULE_NUMBER, or does the SET_NUMBER has an influence?

One could imagine that sets are treated one after another. In this case rule number 200 of set 1 would be treated before rule number 100 of set 2. Is this the case?
Or can rules in different sets get interleaved so as to respect an ordering based only on RULE_NUMBER?

 

[obsigna]

I have to admit that the following is not the 100 % perfect and definitiv answer, however, I read the manual ipfw(8), and specially its section that explains the purpose of sets. From the total absence of any hint that sets would serve for rule ordering, while at the same time there is a very clear explanation of the purpose of sets, namely atomically (i.e. all at once) enable/disable the set rules, I conclude that sets do not have an influence on the sequence of evaluation of the enabled rules.

 

[Jeckt]

Like obsigna says, sets act as "rule groups", allowing groups to be enabled or disabled. As rules are added, their numbers are retained regardless if explicitly set or automatically set. Therefore the rule numbers are what matters. However if sets have rules with identical numbers while both are enabled, this might not be true. I think they go in order of which was added in that case (which I recommend you don't do, always use unique numbers) This is pretty easy to play around with and test, so I'd do some experiments until confident you understand the behavior.