When creating pf rules there is a choice between referencing interface addresses via parens '(em1)' or without the parens. The pf.conf man page states that parens should be used so that the pf ruleset doesn't have to be reloaded if ip addresses on the interface change. But I'm also noticing
that using parens on interfaces with many addresses assigned generates many more rules (1 for each address on the interface) when compiled. But which is more performant when it comes to rule evaluation for packets? Going without parens and generating 80+ additional rules for rulesets that have various vlans or.. going with parens and having much less rules that instead look like 'pass out on vlan2 from (vlan3:8)'? For my particular setup I'm not expecting these interfaces to actually have ip's changing on them while pf is running. -- Adonis
