On Oct 31, 2009, at 9:26 PM, Ryan McBride wrote:
I can't speak for the books, and I KNOW google is full of lies, but
can
you point out specifically what parts of the website docs and man page
talks about this? It should be removed.
After going through the replies I've received, I'm thinking my trouble
is probably a combination of last version (or older) info and my own
misunderstandings.
You guys have pointed me to a number of places that google apparently
didn't know about.
The number of rules evaluated makes a lot more difference than the
number of parameters evaluated per rule.
That's what I was trying to accomplish with the 'branching' anchors.
My number one advice for people who want to optimize their rulesets
for
performance is: DON'T.
So I hear :-)
That being said, here are some things you can do while you're doing
the
above which will help performance.
- stateful filtering (don't use 'no state')
- pfctl optimizer (don't use 'set ruleset-optimization none')
- use tables for lists of addresses
- use as few rules as possible to get the filtering you want
while keeping the ruleset readable.
The big (huge) thing I didn't know about is the optimizer. I was
already aware of the others.
Thanks, Ryan. I'm used to hand optimizing for Cisco and iptables. I
seem to be not in Kansas any more -- let's see how well his optimizer
thing works...
--
Glenn English
g...@slsware.com
