Rule equivalence of uRPF check

[Maxim Khitrov]

Hello all,

I would like to verify my assumptions regarding the way uRPF check
works. I'm using a Soekris net5501 board as a firewall; port 0
($ext_if) is internet uplink, ports 1-3 ($int_if, $mil_if, $vpn_if)
are separate lan segments that should not be communicating with one
another. Here is the start of my filter section:

# Block all traffic by default
block log

# Broadcast DHCP traffic must be passed before urpf check
pass in quick on !$ext_if proto udp from port dhcpc to 255.255.255.255
port dhcps

# Enable source address spoofing protection
block in quick from urpf-failed

The question I have is whether the urpf-failed check is equivalent to
the following three rules for each of the interfaces (I'm using
$int_if as an example here):

block in quick on $int_if from !$int_if:network
block in quick on !$int_if from $int_if:network
block in quick from $int_if

The OpenBSD pf faq states that urpf-check is equivalent to the
antispoof rules, but the antispoof section lists only the last two
rules in my example as being equivalent. So the question is does urpf
imply the first rule as well?

- Max