On 2024/07/22 20:52, [email protected] wrote: > When creating pf rules there is a choice between referencing interface > addresses via parens ' > (em1)' or without the parens. The pf.conf man page states > > that parens should be used so that the pf ruleset doesn't have to be reloaded > if ip addresses > on the interface change. But I'm also noticing > > that using parens on interfaces with many addresses assigned generates many > more rules (1 for > each address on the interface) when compiled. > > But which is more performant when it comes to rule evaluation for packets? > Going without parens > and generating 80+ additional rules for rulesets that have various vlans or.. > going with parens > and having much less rules that instead look like 'pass out on vlan2 from > (vlan3:8)'?
Normally in this case the ruleset optimiser (on by default, at least in OpenBSD's pfctl) will collapse these into a table (these have fast lookups) if there are more than a couple of addresses. Benchmark if you want to be sure but I'd expect this to be much faster than looking up addresses on-the-fly and comparing with each one.
