On Sun, Nov 01, 2009 at 01:16:10PM -0700, ghe wrote: > On Oct 31, 2009, at 5:13 PM, Stuart Henderson wrote: > >> no need for that, we have automatic skip steps, and a ruleset >> optimizer that re-orders where it makes sense. > > Well, I'll be damned. The pf optimizer actually works! If I order the > rules properly and put in enough info into them that pf can tell what I > mean, the compiled ruleset skips over huge hunks of rules. > > This does bring a question to my mind, though. Why is this ruleset > optimization kept a secret? It's a *very* major piece of pf, IMHO. I did > a significant amount of reading and looking around, and I never saw it > discussed in any detail at all until I asked the list about my iptables > wannabe pf ruleset...
Because it just works the way a firewall *should*? The OpenBSD developers aren't distratcted by World Domination (TM) like some other operating systems. -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net/
