Hello,
On Sat, Apr 29, 2023 at 01:37:52PM +0000, Klemens Nanni wrote:
> Both walk the list of rulesets aka. anchors, first one yields a count,
> second yields a specific's anchor name.
>
> Same data access pattern, different copy out, basically.
>
> pf_anchor_global are contained within pf_ioctl.c and pf_ruleset.c and
> fully protected by the pf lock.
>
> Same for pf_main_ruleset and its pf.c usage.
>
> Running with extra asserts to double check works and handling 60k rules
> an anchor works noticably faster:
>
> # jot -w 'pass proto tcp to port ' 60000 | pfctl -a test -o none -f -
> # time pfctl -a test -s r | wc -l
> 60000
> 0m02.10s real 0m00.40s user 0m01.70s system
>
> Dropped from around 3.5s to around 2.0s for me.
>
> Feedback? OK without asserts?
OK with asserts.
thanks and
regards
sashan
