On 2024/07/23 08:58, [email protected] wrote:
> On Tue, Jul 23, 2024, at 5:08 AM, Stuart Henderson wrote:
>
> On 2024/07/22 20:52, [email protected] wrote:
> > When creating pf rules there is a choice between referencing interface
> addresses via
> parens '
> > (em1)' or without the parens. The pf.conf man page states
> >
> > that parens should be used so that the pf ruleset doesn't have to be
> reloaded if ip
> addresses
> > on the interface change. But I'm also noticing
> >
> > that using parens on interfaces with many addresses assigned generates
> many more rules (1
> for
> > each address on the interface) when compiled.
> >
> > But which is more performant when it comes to rule evaluation for
> packets? Going without
> parens
> > and generating 80+ additional rules for rulesets that have various
> vlans or.. going with
> parens
> > and having much less rules that instead look like 'pass out on vlan2
> from (vlan3:8)'?
>
> Normally in this case the ruleset optimiser (on by default, at least in
> OpenBSD's pfctl) will collapse these into a table (these have fast
> lookups) if there are more than a couple of addresses.
>
> Benchmark if you want to be sure but I'd expect this to be much faster
> than looking up addresses on-the-fly and comparing with each one.
>
>
>
>
> So thats to say that the ruleset optimizer is creating a table of out
> of the interface addresses when 'pfctl -vvsr rules' shows them in
> parentheses such as 'pass out on vlan2 from (vlan3:8)?
No, when you use () it has to check the addresses on the interfaces
actively when the state is created.
> That definitely makes sense.. as I can see that the number 8 in
> (vlan3:8) matches the number of addresses on vlan3.
>
> Now the next question would be: If a user is specifying that
> their interface addresses are not changing, and thus uses the non
> parentheses form by creating the rule 'pass on vlan2 from vlan3' why
> is the optimizer not creating a table then? I would've thought that it
> would but instead I see 1 rule added for each address on vlan3.
Are you doing anything to disable the optimiser? (Which OS/version is it?)
On recent OpenBSD versions you need 6 addresses to trigger conversion to
a table:
$ echo 'pass from {1.1.1.1 1.1.1.2 1.1.1.3 1.1.1.4 1.1.1.5}' | pfctl -nvf -
pass inet from 1.1.1.1 to any flags S/SA
pass inet from 1.1.1.2 to any flags S/SA
pass inet from 1.1.1.3 to any flags S/SA
pass inet from 1.1.1.4 to any flags S/SA
pass inet from 1.1.1.5 to any flags S/SA
$ echo 'pass from {1.1.1.1 1.1.1.2 1.1.1.3 1.1.1.4 1.1.1.5 1.1.1.6}' | pfctl
-nvf -
table <__automatic_0> const { 1.1.1.1 1.1.1.2 1.1.1.3 1.1.1.4 1.1.1.5 1.1.1.6 }
pass inet from <__automatic_0> to any flags S/SA
