Make counters on table addresses optional and disabled by default.

Use the 'counters' table option in pf.conf if you actually need them.
If enabled, memory is not allocated until packets match an address.

This saves about 40% memory if counters are not being used, and paves the way
for some more significant cleanups coming soon.

ok henning mpf deraadt

1 files changed, 7 insertions, 2 deletions

diff --git a/share/man/man5/pf.conf.5 b/share/man/man5/pf.conf.5
index 2212333e107..4b3f03dd8ff 100644
--- a/share/man/man5/pf.conf.5
+++ b/share/man/man5/pf.conf.5
@@ -1,4 +1,4 @@
-.\"	$OpenBSD: pf.conf.5,v 1.400 2008/06/10 16:52:10 jmc Exp $
+.\"	$OpenBSD: pf.conf.5,v 1.401 2008/06/10 20:55:01 mcbride Exp $
 .\"
 .\" Copyright (c) 2002, Daniel Hartmeier
 .\" All rights reserved.
@@ -183,6 +183,11 @@ can be used to add or remove addresses from the table at any time, even
 when running with
 .Xr securelevel 7
 = 2.
+.It Ar counters
+The
+.Ar counters
+flag enables per-address packet and byte counters which can be displayed with 
+.Xr pfctl 8 .
 .El
 .Pp
 For example,
@@ -2864,7 +2869,7 @@ antispoof-rule = "antispoof" [ "log" ] [ "quick" ]
 
 table-rule     = "table" "\*(Lt" string "\*(Gt" [ tableopts-list ]
 tableopts-list = tableopts-list tableopts | tableopts
-tableopts      = "persist" | "const" | "file" string |
+tableopts      = "persist" | "const" | "counters" | "file" string |
                  "{" [ tableaddr-list ] "}"
 tableaddr-list = tableaddr-list [ "," ] tableaddr-spec | tableaddr-spec
 tableaddr-spec = [ "!" ] tableaddr [ "/" mask-bits ]