From owner-svn-src-stable@freebsd.org Thu Apr 2 18:32:52 2020 Return-Path: Delivered-To: svn-src-stable@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 521B12AFC2E; Thu, 2 Apr 2020 18:32:52 +0000 (UTC) (envelope-from kp@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 48tWry3KFXz3FXG; Thu, 2 Apr 2020 18:32:50 +0000 (UTC) (envelope-from kp@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 49AF41DEE3; Thu, 2 Apr 2020 18:32:45 +0000 (UTC) (envelope-from kp@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id 032IWjrp087458; Thu, 2 Apr 2020 18:32:45 GMT (envelope-from kp@FreeBSD.org) Received: (from kp@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id 032IWjEx087457; Thu, 2 Apr 2020 18:32:45 GMT (envelope-from kp@FreeBSD.org) Message-Id: <202004021832.032IWjEx087457@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: kp set sender to kp@FreeBSD.org using -f From: Kristof Provost Date: Thu, 2 Apr 2020 18:32:45 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-12@freebsd.org Subject: svn commit: r359572 - stable/12/sbin/pfctl X-SVN-Group: stable-12 X-SVN-Commit-Author: kp X-SVN-Commit-Paths: stable/12/sbin/pfctl X-SVN-Commit-Revision: 359572 X-SVN-Commit-Repository: base MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-stable@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: SVN commit messages for all the -stable branches of the src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 02 Apr 2020 18:32:52 -0000 Author: kp Date: Thu Apr 2 18:32:44 2020 New Revision: 359572 URL: https://svnweb.freebsd.org/changeset/base/359572 Log: MFC r359130: pfctl: improve rule load times with thousands of interfaces r343287 / D18759 introduced ifa_add_groups_to_map() which is now run by ifa_load/ifa_lookup/host_if. When loading an anchor or ruleset via pfctl that does NOT contain ifnames as hosts, host() still ends up iterating all interfaces twice, grabbing SIOCGIFGROUP ioctl twice for each. This adds an unnecessary amount of time on systems with thousands or tens of thousands of interfaces. Prioritize the IPv4/6 check over the interface name lookup, which skips loading the iftab and iterating all interfaces when the configuration does not contain interface names. Submitted by: Nick Rogers Sponsored by: RG Nets Modified: stable/12/sbin/pfctl/pfctl_parser.c Directory Properties: stable/12/ (props changed) Modified: stable/12/sbin/pfctl/pfctl_parser.c ============================================================================== --- stable/12/sbin/pfctl/pfctl_parser.c Thu Apr 2 17:57:40 2020 (r359571) +++ stable/12/sbin/pfctl/pfctl_parser.c Thu Apr 2 18:32:44 2020 (r359572) @@ -1560,16 +1560,17 @@ host(const char *s) mask = -1; } - /* interface with this name exists? */ - if (cont && (h = host_if(ps, mask)) != NULL) - cont = 0; - /* IPv4 address? */ if (cont && (h = host_v4(s, mask)) != NULL) cont = 0; /* IPv6 address? */ if (cont && (h = host_v6(ps, v6mask)) != NULL) + cont = 0; + + /* interface with this name exists? */ + /* expensive with thousands of interfaces - prioritze IPv4/6 check */ + if (cont && (h = host_if(ps, mask)) != NULL) cont = 0; /* dns lookup */