On Thu, Jan 09, 2003 at 10:00:55PM +0100, Srebrenko Sehic wrote: > Niceeee. Btw, what's the main difference between tables and > anchors?
An anchor is a bunch of rules, while a table is a bunch of addresses (or netmasks). If you have a block of rules in your main ruleset like pass out from 10.1.2.3 to any pass out from 10.1.2.4 to any pass out from 10.1.2.5 to any which only differ in their addresses, you could use a table pass out from <foo> to any and load the addresses into the table. This would reduce the number of rules and make evaluation much faster. If you have a block of rules which differ more, like block out pass out inet proto tcp from 10.1.2.3 to any port www flags S/SA keep state pass in inet proto tcp from any to 10.2.3.4 flags S/SA keep state pass in inet proto udp from any to 10.2.3.4 port domain you could load them into an anchor (it's a sub-ruleset of the main ruleset). You can branch into the anchor from the main ruleset conditionally: anchor bar on $ext_if which would reduce the number of evaluations, too. And of course you can mix both concepts, use tables in rules inside anchors, etc. :) Daniel
