OpenBSD Journal

Pfctl optimizer in -current

Contributed by grey on from the henning gets his beer back dept.

Thanks to Foxy for keeping tabs on things and writing in with the following update:

Due to Mike Frantzen's work, pfctl optimizer is official in OpenBSD current sources. The Pfctl optimizer features:

'pfctl -o' ruleset optimizer that doesnt change the meaning of the final ruleset
- remove identical and subsetted rules
- when advantageous merge rules w/ similar addresses into a table and one rule
- re-order rules to improve skip step performance (can do better w/ kernel mods)
- 'pfctl -oo' will load the currently running ruleset and use it as a profile
to direct the optimization of quicked rules

See the complete CVS commit log entry archived here for details.

(Comments are closed)


  1. By Frank Denis () on http://00f.net

    Is there any way to run the optimizer when pfctl is called at boot time ?

    1. By Andreas Kahari () on

      You could edit your /etc/rc in the appropriate places if you want to... It's just before where /var and /usr gets mounted, just after netstart.

Credits

Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]