diff options
| author | Ryan Thomas McBride <mcbride@cvs.openbsd.org> | 2007-03-21 03:01:32 +0000 |
|---|---|---|
| committer | Ryan Thomas McBride <mcbride@cvs.openbsd.org> | 2007-03-21 03:01:32 +0000 |
| commit | a4ef81c1685247190c15e2a26ca97c65967fb777 (patch) | |
| tree | cd4c42c9d403395624a9d6187ab4e8cfe48abc88 /sbin/pfctl | |
| parent | f289e4f956063a8bf5e6cd04213ab2ce003df593 (diff) | |
Enable basic ruleset optimization by default.
ok deraadt henning
Diffstat (limited to 'sbin/pfctl')
| -rw-r--r-- | sbin/pfctl/pfctl.8 | 40 | ||||
| -rw-r--r-- | sbin/pfctl/pfctl.c | 4 |
2 files changed, 7 insertions, 37 deletions
diff --git a/sbin/pfctl/pfctl.8 b/sbin/pfctl/pfctl.8 index b5be8a1f624..d3b7d502194 100644 --- a/sbin/pfctl/pfctl.8 +++ b/sbin/pfctl/pfctl.8 @@ -1,4 +1,4 @@ -.\" $OpenBSD: pfctl.8,v 1.128 2007/01/30 21:01:56 jmc Exp $ +.\" $OpenBSD: pfctl.8,v 1.129 2007/03/21 03:01:31 mcbride Exp $ .\" .\" Copyright (c) 2001 Kjell Wooding. All rights reserved. .\" @@ -297,50 +297,18 @@ Do not actually load rules, just parse them. Load only the options present in the rule file. Other rules and options are ignored. .It Fl o Op Ar level -Control the ruleset optimizer. -The ruleset optimizer attempts to improve rulesets by removing rule -duplication and making better use of rule ordering. +Control the ruleset optimizer, overriding any rule file settings. .Pp .Bl -tag -width xxxxxxxxxxxx -compact .It Fl o Cm none Disable the ruleset optimizer. .It Fl o Cm basic Enable basic ruleset optimizations. +This is the default behaviour. .It Fl o Cm profile Enable basic ruleset optimizations with profiling. .El .Pp -.Cm basic -optimization does does four things: -.Pp -.Bl -enum -compact -.It -remove duplicate rules -.It -remove rules that are a subset of another rule -.It -combine multiple rules into a table when advantageous -.It -re-order the rules to improve evaluation performance -.El -.Pp -If -.Cm profile -is specified, the currently loaded ruleset will be examined as a feedback -profile to tailor the optimization of the -.Ar quick -rules to the actual network behavior. -.Pp -It is important to note that the ruleset optimizer will modify the ruleset -to improve performance. -A side effect of the ruleset modification is that per-rule accounting -statistics will have different meanings than before. -If per-rule accounting is important for billing purposes or whatnot, either -the ruleset optimizer should not be used or a -.Ar label -field should be added to all of the accounting rules to act as optimization -barriers. -.Pp To retain compatibility with previous behaviour, a single .Fl o without any options will enable @@ -348,6 +316,8 @@ without any options will enable optimizations, and a second .Fl o will enable profiling. +For further information on the ruleset optimizer, see +.Xr pf.conf 5 . .It Fl p Ar device Use the device file .Ar device diff --git a/sbin/pfctl/pfctl.c b/sbin/pfctl/pfctl.c index cf338c7d40b..123475a0ddd 100644 --- a/sbin/pfctl/pfctl.c +++ b/sbin/pfctl/pfctl.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pfctl.c,v 1.262 2007/03/01 17:20:53 deraadt Exp $ */ +/* $OpenBSD: pfctl.c,v 1.263 2007/03/21 03:01:31 mcbride Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -1954,7 +1954,7 @@ main(int argc, char *argv[]) int ch; int mode = O_RDONLY; int opts = 0; - int optimize = 0; + int optimize = PF_OPTIMIZE_BASIC; char anchorname[MAXPATHLEN]; char *path; FILE *fin = NULL; |