On 28 Mar 2015 at 8:00, Jeff wrote: > Hi, > > We've been using pf.conf and tables for years but have > recently embarked on a project to optimize pf.conf. > > In reading about tables it's not clear when tables are more > efficient than individual rules. Is there a definitive point? Is it > three entries? six entries? ten entries? > > If it's not a constant, is there a simple test that we can run > to determine if a table is more efficient than individual rules in > each case? > > Thanks! > Jeff > -- > >
Aside from the documented performance advantage to using tables where multiple hosts are involved (whatever that exact number may be), there is a very important administrative advantage and the reason I often use tables with as few as one or two hosts in them -- you can modify entries in the table *without* having to reload your rule set (i.e. it is much safer and less disruptive). But as far as squeezing a few micro-seconds of performance (if that much) by "optimizing" pf.conf, I would not worry about that -- the developers are constantly improving the network stack and performance of all of its components, including the packet filter. The primary optimization we, the sysadmins, should focus on is manageability. All your marginal performance gains will be lost if the resulting pf.conf becomes unwieldy and unmanageable.