[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Optimizing rules.
DH> If you really have a huge rule set and wonder how much of the rule loading
DH> time is caused by skip step calculation, you can just comment out the calls
DH> to pf_calc_skip_steps() in sys/net/pf_ioctl.c and compare. I'd be surprised
DH> if it made a significant difference, as the one-by-one transfer of rules
DH> through ioctl is what is taking most of the time.
Actually, I don't have such a huge ruleset, but was worried about the
time pf has no rules (-Fa) to when it actually loads them. BTW, does
it starts to filter with the rules coming or waits for the whole
thing? I'm thinking here when you have somenone doing some kind of
attack on some resource and you want to ban that IP. Until today (now
we have anchor points) you should either risk that seconds of
reloading of stop forwarding pakets, load, forward again. Isn't a two
rule set system, like ipf desirable for this situations?