[pf4freebsd] Question about tables vs. lists.

James Quick jq at quick.com
Wed Sep 15 20:52:17 PDT 2004 

I'm brand new to pf and though I have a pretty good handle on it,
would like to make sure that I am making wise decisions as I move
toward more complex configuration.

Though I did play around with some rulesets which used list
expansion in rules, my current ruleset uses tables for everything
(except for one each of { tcp, udp } and { http, https } in-line).
In particular, I have several tables which are likely to change
over time, but should not typically change very often - weekly
or monthly.

The tables in question currently have 3-5 entries, and should
not grow beyond 10-20 entries.

I prefer the additional information that I can easily grab from
pfctl for tables, and also like the more modular design.  I am
unsure, however, about the relative costs of table lookup vs. the
increase in rule count that the use of a list would incur.

Are there any compelling reasons to use lists instead of tables
for small sets?  Since that total number of tables is likely to
remain fairly small, I don't consider the up front memory cost
for a small table to be compelling.

For example:
wanbad = " 0.0.0/8, 10.0.0.0/8, 20.20.20.0/24, \
         127.0.0.0/8, 169.254.0.0/16, 172.16.0.0/13, \
         192.0.2.0/24, 192.168.0.0/16, 204.152.64.0/23, \
         224.0.0.0/3, 255.255.255.255/32 \
"

table <wanspoof> const  { $wanbad, $qnet }
table <localnets> const { $qnet, $unet }
table <dnshosts> persist { fw, fw-gate, ns }
table <mailhosts> persist { jail1 jailtest }
table <webhosts> persist { jail1, jailtest, laptop }
table <clocks> persist { bonehed.lcs.mit.edu, clock.nyc.he.net, 
ntp.ourconcord.net }
table <servers> { jail1, fw, fw-gate, jailtest, ns }

.....
block in log quick on $wan from <wanspoof> label "spoof"
block in log quick on $wan from no-route label "unroutable:$srcaddr"
block out quick on $wan to <wanspoof>

.....
pass in log quick on $wan proto tcp to <mailhosts> port smtp \
	flags S/SA keep state label "mail"
pass in log quick on $wan proto tcp to <webhosts> port { http, https } \
         keep state label "web"

More information about the freebsd-pf mailing list