Hello Daniel, DH> If you really have a huge rule set and wonder how much of the rule loading DH> time is caused by skip step calculation, you can just comment out the calls DH> to pf_calc_skip_steps() in sys/net/pf_ioctl.c and compare. I'd be surprised DH> if it made a significant difference, as the one-by-one transfer of rules DH> through ioctl is what is taking most of the time. Actually, I don't have such a huge ruleset, but was worried about the time pf has no rules (-Fa) to when it actually loads them. BTW, does it starts to filter with the rules coming or waits for the whole thing? I'm thinking here when you have somenone doing some kind of attack on some resource and you want to ban that IP. Until today (now we have anchor points) you should either risk that seconds of reloading of stop forwarding pakets, load, forward again. Isn't a two rule set system, like ipf desirable for this situations?
Regards, Alejandro Belluscio
