Page MenuHomeFreeBSD

Improve pfctl rule load times with thousands of interfaces
ClosedPublic

Authored by ncrogers_gmail.com on Mar 17 2020, 5:04 PM.
Tags
None
Referenced Files
Unknown Object (File)
Mon, Dec 23, 12:16 PM
Unknown Object (File)
Sat, Dec 14, 9:54 PM
Unknown Object (File)
Dec 6 2024, 10:06 PM
Unknown Object (File)
Nov 18 2024, 7:54 AM
Unknown Object (File)
Nov 5 2024, 7:39 AM
Unknown Object (File)
Oct 6 2024, 7:38 AM
Unknown Object (File)
Oct 5 2024, 7:50 PM
Unknown Object (File)
Oct 5 2024, 7:24 AM
Subscribers

Details

Summary

r343287 / D18759 introduced ifa_add_groups_to_map() which is now run by ifa_load/ifa_lookup/host_if. When loading an anchor or ruleset via pfctl that does NOT contain ifnames as hosts, host() still ends up iterating all interfaces twice, grabbing SIOCGIFGROUP ioctl twice for each. This adds an unnecessary amount of time on systems with thousands or tens of thousands of interfaces.

Prioritize the IPv4/6 check over the interface name lookup, which skips loading the iftab and iterating all interfaces when the configuration does not contain interface names.

Diff Detail

Repository
rS FreeBSD src repository - subversion
Lint
Lint Skipped
Unit
Tests Skipped

Event Timeline

At first glance that looks very reasonable. I'm building world with your change for a quick run through the tests, but I expect those to be fine.
I should be able to commit this in the next day or two.

This revision was not accepted when it landed; it landed in state Needs Review.Mar 19 2020, 12:54 PM
This revision was automatically updated to reflect the committed changes.