On Tue, Jul 23, 2024, at 5:08 AM, Stuart Henderson wrote: > On 2024/07/22 20:52, [email protected] wrote: > > When creating pf rules there is a choice between referencing interface > > addresses via parens ' > > (em1)' or without the parens. The pf.conf man page states > > > > that parens should be used so that the pf ruleset doesn't have to be > > reloaded if ip addresses > > on the interface change. But I'm also noticing > > > > that using parens on interfaces with many addresses assigned generates many > > more rules (1 for > > each address on the interface) when compiled. > > > > But which is more performant when it comes to rule evaluation for packets? > > Going without parens > > and generating 80+ additional rules for rulesets that have various vlans > > or.. going with parens > > and having much less rules that instead look like 'pass out on vlan2 from > > (vlan3:8)'? > > Normally in this case the ruleset optimiser (on by default, at least in > OpenBSD's pfctl) will collapse these into a table (these have fast > lookups) if there are more than a couple of addresses. > > Benchmark if you want to be sure but I'd expect this to be much faster > than looking up addresses on-the-fly and comparing with each one. > >
So thats to say that the ruleset optimizer is creating a table of out of the interface addresses when 'pfctl -vvsr rules' shows them in parentheses such as 'pass out on vlan2 from (vlan3:8)? That definitely makes sense.. as I can see that the number 8 in (vlan3:8) matches the number of addresses on vlan3. Now the next question would be: If a user is specifying that their interface addresses are not changing, and thus uses the non parentheses form by creating the rule 'pass on vlan2 from vlan3' why is the optimizer not creating a table then? I would've thought that it would but instead I see 1 rule added for each address on vlan3.
