On Fri, 22 Sep 2006 10:37:57 +0200 [EMAIL PROTECTED] (Peter N. M. Hansteen) wrote:
> Ken Gunderson <[EMAIL PROTECTED]> writes: > > > Are there any reasons to prefer lists over tables (or vice versa) > > for the smaller sized stuff, e.g. /29 - /26 subnets? Any comments > > about when should one not use tables? > > Tables are exclusively for addresses, and pfctl has quite a few > options which makes it easy to do operations on tables from the > command line. > > So I suppose any set of addresses which conceivably could change more > frequently than you would want to reload your entire rule set would be > a prime candidate getting turned into a table. Thanks Peter. I should have been more clear; I meant lists of IP addresses vs. tables of IP addresses for small/meduim sized subnets that are static in nature. Things that change and/or may need to manipulate on the fly already go into tables as per "Tables provide a mechanism for increasing the performance and flexibility of rules with large numbers of source or destination addresses.";) In my mind a couple "class A" blocks classifies as "large" and <spamd> needs to be flexible. But what about a /20 that doesn't change? Given that tables increase performance I was wondering if I shouldn't also start using them for smaller blocks of addresses as well. I suspect performance differences are negligible at this level but there may be additional factors to be considered. It also tends to be one of the questions that others I introduce to pf ask, so I thought it's about time I came up with a more informed answer;-) -- Best regards, Ken Gunderson "The course of history shows that as a government grows, liberty decreases." (Thomas Jefferson)