From 5ceed480a44c2b160b436af9c826a7d3afc3451d Mon Sep 17 00:00:00 2001 From: Mike Frantzen Date: Fri, 16 Jul 2004 23:44:26 +0000 Subject: 'pfctl -o' ruleset optimizer that doesnt change the meaning of the final ruleset - remove identical and subsetted rules - when advantageous merge rules w/ similar addresses into a table and one rule - re-order rules to improve skip step performance (can do better w/ kernel mods) - 'pfctl -oo' will load the currently running ruleset and use it as a profile to direct the optimization of quicked rules ok henning@ mcbride@. man page help from jmc@ --- sbin/pfctl/pfctl_parser.h | 35 +++++++++++++++++++++++++++++++++-- 1 file changed, 33 insertions(+), 2 deletions(-) (limited to 'sbin/pfctl/pfctl_parser.h') diff --git a/sbin/pfctl/pfctl_parser.h b/sbin/pfctl/pfctl_parser.h index d16abc4d599..b069b8236d4 100644 --- a/sbin/pfctl/pfctl_parser.h +++ b/sbin/pfctl/pfctl_parser.h @@ -1,4 +1,4 @@ -/* $OpenBSD: pfctl_parser.h,v 1.76 2004/05/19 17:50:51 dhartmei Exp $ */ +/* $OpenBSD: pfctl_parser.h,v 1.77 2004/07/16 23:44:25 frantzen Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -46,6 +46,8 @@ #define PF_OPT_DUMMYACTION 0x0100 #define PF_OPT_DEBUG 0x0200 #define PF_OPT_SHOWALL 0x0400 +#define PF_OPT_OPTIMIZE 0x0800 +#define PF_OPT_OPTIMIZE_PROFILE 0x1000 #define PF_TH_ALL 0xFF @@ -59,6 +61,11 @@ NULL \ } +struct pfr_buffer; /* forward definition */ +struct pf_opt_rule; +TAILQ_HEAD(pf_opt_queue, pf_opt_rule); + + struct pfctl { int dev; int opts; @@ -72,6 +79,7 @@ struct pfctl { struct pfr_buffer *trans; const char *anchor; const char *ruleset; + struct pf_opt_queue opt_queue; }; struct node_if { @@ -142,9 +150,31 @@ struct node_tinit { /* table initializer */ char *file; }; -struct pfr_buffer; /* forward definition */ + +/* optimizer created tables */ +struct pf_opt_tbl { + char pt_name[PF_TABLE_NAME_SIZE]; + int pt_rulecount; + int pt_generated; + struct node_tinithead pt_nodes; + struct pfr_buffer *pt_buf; +}; +#define PF_OPT_TABLE_PREFIX "__automatic_" + +/* optimizer pf_rule container */ +struct pf_opt_rule { + struct pf_rule por_rule; + struct pf_opt_tbl *por_src_tbl; + struct pf_opt_tbl *por_dst_tbl; + char por_anchor[MAXPATHLEN]; + u_int64_t por_profile_count; + TAILQ_ENTRY(pf_opt_rule) por_entry; + TAILQ_ENTRY(pf_opt_rule) por_skip_entry[PF_SKIP_COUNT]; +}; + int pfctl_rules(int, char *, int, char *, struct pfr_buffer *); +int pfctl_optimize_rules(struct pfctl *); int pfctl_add_rule(struct pfctl *, struct pf_rule *, const char *); int pfctl_add_altq(struct pfctl *, struct pf_altq *); @@ -220,6 +250,7 @@ extern const struct pf_timeout pf_timeouts[]; void set_ipmask(struct node_host *, u_int8_t); int check_netmask(struct node_host *, sa_family_t); +int unmask(struct pf_addr *, sa_family_t); void ifa_load(void); struct node_host *ifa_exists(const char *, int); struct node_host *ifa_lookup(const char *, int); -- cgit v1.2.3