On Oct 31, 2009, at 5:13 PM, Stuart Henderson wrote:
no need for that, we have automatic skip steps, and a ruleset optimizer that re-orders where it makes sense.
Well, I'll be damned. The pf optimizer actually works! If I order the rules properly and put in enough info into them that pf can tell what I mean, the compiled ruleset skips over huge hunks of rules.
This does bring a question to my mind, though. Why is this ruleset optimization kept a secret? It's a *very* major piece of pf, IMHO. I did a significant amount of reading and looking around, and I never saw it discussed in any detail at all until I asked the list about my iptables wannabe pf ruleset...
As somebody said at undeadly, dhartmei's writings on pf at undeadly ( http://undeadly.org/cgi?action=article&sid=20060927091645 ) should be in the docs at OpenBSD.org. Thanks to all who responded. Hopefully I can figure out the rest. -- Glenn English g...@slsware.com
