On Tue, Jul 23, 2024, at 9:14 AM, Stuart Henderson wrote:
> Are you doing anything to disable the optimiser? (Which OS/version is it?)
> On recent OpenBSD versions you need 6 addresses to trigger conversion to
> a table:
>
> $ echo 'pass from {1.1.1.1 1.1.1.2 1.1.1.3 1.1.1.4 1.1.1.5}' | pfctl -nvf -
> pass inet from 1.1.1.1 to any flags S/SA
> pass inet from 1.1.1.2 to any flags S/SA
> pass inet from 1.1.1.3 to any flags S/SA
> pass inet from 1.1.1.4 to any flags S/SA
> pass inet from 1.1.1.5 to any flags S/SA
>
> $ echo 'pass from {1.1.1.1 1.1.1.2 1.1.1.3 1.1.1.4 1.1.1.5 1.1.1.6}' | pfctl
> -nvf -
> table <__automatic_0> const { 1.1.1.1 1.1.1.2 1.1.1.3 1.1.1.4 1.1.1.5 1.1.1.6
> }
> pass inet from <__automatic_0> to any flags S/SA
So actually the optimizer is doing the right thing. I do see that when an
interface has > 6 addresses it uses an automatic table and when <= 6 it creates
6 or less rules. Regarding the previous messages I sent, where I referenced
'pass on vlan2 from vlan3' creating 8 rules, that was wrong on my end because
that was really an example rule for the point of this exercise vs what I
actually have in my ruleset. In my ruleset if an interface has more than 6
addresses I do see the auto table created when referenced not using
parentheses. That answers my question of when auto tables are created by the
optimizer, thanks.
>> So thats to say that the ruleset optimizer is creating a table of out
>> of the interface addresses when 'pfctl -vvsr rules' shows them in
>> parentheses such as 'pass out on vlan2 from (vlan3:8)?
> No, when you use () it has to check the addresses on the interfaces
> actively when the state is created.
Ah ok got it.
Is checking for addresses on an interface (when using parens) slower than the
following non-parens scenarios:
1. Reading the addresses from a table (for the cases when the optimizer
creates the automatic table)?
2. Reading 6 addresses via 6 rules (for the cases when the optimizer chooses
not to create an automatic table)?
--
Adonis
