Hello, On Sat, Apr 29, 2023 at 01:37:52PM +0000, Klemens Nanni wrote: > Both walk the list of rulesets aka. anchors, first one yields a count, > second yields a specific's anchor name. > > Same data access pattern, different copy out, basically. > > pf_anchor_global are contained within pf_ioctl.c and pf_ruleset.c and > fully protected by the pf lock. > > Same for pf_main_ruleset and its pf.c usage. > > Running with extra asserts to double check works and handling 60k rules > an anchor works noticably faster: > > # jot -w 'pass proto tcp to port ' 60000 | pfctl -a test -o none -f - > # time pfctl -a test -s r | wc -l > 60000 > 0m02.10s real 0m00.40s user 0m01.70s system > > Dropped from around 3.5s to around 2.0s for me. > > Feedback? OK without asserts?
OK with asserts. thanks and regards sashan