> We've been using pf.conf and tables for years but have
> recently embarked on a project to optimize pf.conf.
> In reading about tables it's not clear when tables are more
> efficient than individual rules. Is there a definitive point? Is it
> three entries? six entries? ten entries?
> If it's not a constant, is there a simple test that we can run
> to determine if a table is more efficient than individual rules in
> each case?
Aside from the documented performance advantage to using tables where
multiple hosts are involved (whatever that exact number may be), there
is a very important administrative advantage and the reason I often use
tables with as few as one or two hosts in them -- you can modify
entries in the table *without* having to reload your rule set (i.e. it
is much safer and less disruptive).
But as far as squeezing a few micro-seconds of performance (if that
much) by "optimizing" pf.conf, I would not worry about that -- the
developers are constantly improving the network stack and performance
of all of its components, including the packet filter. The primary
optimization we, the sysadmins, should focus on is manageability. All
your marginal performance gains will be lost if the resulting pf.conf
becomes unwieldy and unmanageable.