Date: Thu, 16 Sep 2004 03:52:22 -0000 From: Max Laier <max@love2party.net> To: James Quick <jq@quick.com> Cc: pf4freebsd@freelists.org Subject: [pf4freebsd] Re: Question about tables vs. lists. Message-ID: <99173910970.20030929180707@love2party.net> In-Reply-To: <7F0E43BA-F291-11D7-B179-003065C496DC@quick.com> References: <18E25BB4-F287-11D7-ADF9-003065C496DC@quick.com> <143167915309.20030929162711@love2party.net> <7F0E43BA-F291-11D7-B179-003065C496DC@quick.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Hello James,
Monday, September 29, 2003, 5:27:54 PM, you wrote:
JQ> Though I did play around with some rulesets which used list
JQ> expansion in rules, my current ruleset uses tables for everything
JQ> (except for one each of { tcp, udp } and { http, https } in-line).
JQ> In particular, I have several tables which are likely to change
JQ> over time, but should not typically change very often - weekly
JQ> or monthly.
JQ> The tables in question currently have 3-5 entries, and should
JQ> not grow beyond 10-20 entries.
JQ> I prefer the additional information that I can easily grab from
JQ> pfctl for tables, and also like the more modular design. I am
JQ> unsure, however, about the relative costs of table lookup vs. the
JQ> increase in rule count that the use of a list would incur.
Well, I did not do any benchmarks and don't know of any, but here is
some reasoning about:
1) Tables use the same implementation that is used for routing tables.
It provides a blanched search tree with h < 32 (or 64 for IPv6) This
gives us lookups in O(1) in the general case.
2) In FreeBSD Tables need locking. That means that for table operation
we might suffer an additional context switch in contrast to OpenBSD.
3) If you use a list, you give pf the chance to optimize the rules that
are expanded from the list rule. Skip-steps will (in most case) only
require full evaluation of all rules for a match of the last one.
However, 10+ rules might still generate more calculation overhead
than a single table rule.
4) With a list, you have the information right at hand, and don't need
to dig into the tables, to know what happened. This might esp. be
true for pflogd output.
JQ> Are there any compelling reasons to use lists instead of tables
JQ> for small sets? Since that total number of tables is likely to
JQ> remain fairly small, I don't consider the up front memory cost
JQ> for a small table to be compelling.
I prefer lists over tables when I have a small set of stable hosts or
nets that I want to filter (=3Dblock). The reason for that is, that I
somewhat "hardcode" it into my ruleset and that I can get per host
output from pflog. I use tables only where I want a manageable solution
and have fairly many addresses.
However, I don't believe that you will see much difference between a
table- or list-powered ruleset for 10-20 addresses. Choose whatever
approach is the more comfortable for you.
You may want to take a look at https://solarflux.org/pf/#examples to see
how others like to do handle it. There is a really wide spectrum of
applications there, which should give you enough information to base
your decision on.
--=20
Best regards,
Max mailto:max@love2party.net
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?99173910970.20030929180707>