On 18 Feb 2019, at 18:30, Andreas Longwitz wrote:
Ok, thanks, I will commit the patch shortly. I do not see a point in
waiting
for two more weeks, sure report me if anything goes wrong.
your patch for counter(9) on i386 definitely solves my problem
discussed
in this thread.
Because fetching a counter is a rather expansive function we should
use
counter_u64_fetch() in pf_state_expires() only when necessary. A "rdr
pass" rule should not cause more effort than separate "rdr" and "pass"
rules. For rules with adaptive timeout values the call of
counter_u64_fetch() should be accepted, but otherwise not.
For a small gain in performance especially for "rdr pass" rules I
suggest something like
--- pf.c.orig 2019-02-18 17:49:22.944751000 +0100
+++ pf.c 2019-02-18 17:55:07.396163000 +0100
@@ -1558,7 +1558,7 @@
if (!timeout)
timeout = V_pf_default_rule.timeout[state->timeout];
start = state->rule.ptr->timeout[PFTM_ADAPTIVE_START];
- if (start) {
+ if (start && state->rule.ptr != &V_pf_default_rule) {
end = state->rule.ptr->timeout[PFTM_ADAPTIVE_END];
states =
counter_u64_fetch(state->rule.ptr->states_cur);
} else {
I think that looks correct. Do you have any performance measurements on
this?
Although presumably it only really matters in cases where there’s no
explicit catch-all rule, so I do wonder if it’s worth it.
Regards,
Kristof
_______________________________________________
freebsd-pf@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"
