On 2009-10-31, ghe <g...@slsware.com> wrote: > pf.conf consists largely of anchors (to fork on protocol) and sub- > anchors below them to fork on service -- I'm trying to reduce the > count of rules seen by a packet to a minimum. But
no need for that, we have automatic skip steps, and a ruleset optimizer that re-orders where it makes sense. see the 3 articles on undeadly about pf for some fundamentals, starting here; http://undeadly.org/cgi?action=article&sid=20060927091645 (this is for an old version; since then the optimizer is enabled by default, pfctl -o isn't necessary).
