From d2568b024da283bd2b88a633eecfc9abf240b3d8 Mon Sep 17 00:00:00 2001 From: Kristof Provost Date: Thu, 19 Mar 2020 12:54:43 +0000 Subject: [PATCH] pfctl: improve rule load times with thousands of interfaces r343287 / D18759 introduced ifa_add_groups_to_map() which is now run by ifa_load/ifa_lookup/host_if. When loading an anchor or ruleset via pfctl that does NOT contain ifnames as hosts, host() still ends up iterating all interfaces twice, grabbing SIOCGIFGROUP ioctl twice for each. This adds an unnecessary amount of time on systems with thousands or tens of thousands of interfaces. Prioritize the IPv4/6 check over the interface name lookup, which skips loading the iftab and iterating all interfaces when the configuration does not contain interface names. Submitted by: Nick Rogers MFC after: 2 weeks Differential Revision: https://reviews.freebsd.org/D24100 --- sbin/pfctl/pfctl_parser.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/sbin/pfctl/pfctl_parser.c b/sbin/pfctl/pfctl_parser.c index 770153c3922c..4f64052924b0 100644 --- a/sbin/pfctl/pfctl_parser.c +++ b/sbin/pfctl/pfctl_parser.c @@ -1563,10 +1563,6 @@ host(const char *s) mask = -1; } - /* interface with this name exists? */ - if (cont && (h = host_if(ps, mask)) != NULL) - cont = 0; - /* IPv4 address? */ if (cont && (h = host_v4(s, mask)) != NULL) cont = 0; @@ -1575,6 +1571,11 @@ host(const char *s) if (cont && (h = host_v6(ps, v6mask)) != NULL) cont = 0; + /* interface with this name exists? */ + /* expensive with thousands of interfaces - prioritze IPv4/6 check */ + if (cont && (h = host_if(ps, mask)) != NULL) + cont = 0; + /* dns lookup */ if (cont && (h = host_dns(ps, v4mask, v6mask)) != NULL) cont = 0;