From be58a5d1076d0d15b07ce40f1b5c7a98c1d89257 Mon Sep 17 00:00:00 2001
From: Scott Ullrich <sullrich@pfsense.org>
Date: Sat, 7 Apr 2007 02:10:12 +0000
Subject: Use -o when loading the pf ruleset.  From the pfctl man page:

    
 -o      Enable the ruleset optimizer.  The ruleset optimizer attempts to
    
         improve rulesets by removing rule duplication and making better
     
        use of rule ordering.  Specifically, it does four things:

           
  1.   remove duplicate rules
             2.   remove rules that are a subset
 of another rule
             3.   combine multiple rules into a table when
 advantageous
             4.   re-order the rules to improve evaluation
 performance

             A second -o may be specified to use the currently
 loaded ruleset
             as a feedback profile to tailor the optimization
 of the quick
             rules to the actual network behavior.

            
 It is important to note that the ruleset optimizer will modify
            
 the ruleset to improve performance.  A side effect of the ruleset
           
  modification is that per-rule accounting statistics will have
            
 different meanings than before. Use -o when loading the pf ruleset.  From the
 pfctl man page:

     -o      Enable the ruleset optimizer.  The ruleset
 optimizer attempts to
             improve rulesets by removing rule
 duplication and making better
             use of rule ordering. 
 Specifically, it does four things:

             1.   remove duplicate rules
             2.   remove rules that are a subset of another rule
            
 3.   combine multiple rules into a table when advantageous
             4.  
 re-order the rules to improve evaluation performance

             A second
 -o may be specified to use the currently loaded ruleset
             as a
 feedback profile to tailor the optimization of the quick
             rules
 to the actual network behavior.

             It is important to note that
 the ruleset optimizer will modify
             the ruleset to improve
 performance.  A side effect of the ruleset
             modification is that
 per-rule accounting statistics will have
             different meanings than
 before.

---
 etc/inc/filter.inc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'etc')

diff --git a/etc/inc/filter.inc b/etc/inc/filter.inc
index 5028d60..8d657cf 100644
--- a/etc/inc/filter.inc
+++ b/etc/inc/filter.inc
@@ -203,7 +203,7 @@ function filter_configure_sync() {
 		$mt = microtime();
 		echo "pfctl being called at $mt\n";
 	}
-        $rules_loading = mwexec("/sbin/pfctl -f {$g['tmp_path']}/rules.debug");
+        $rules_loading = mwexec("/sbin/pfctl -o -f {$g['tmp_path']}/rules.debug");
 	if(isset($config['system']['developerspew'])) {
 		$mt = microtime();
 		echo "pfctl done at $mt\n";
-- 
cgit v1.1