svn commit: r359573 - stable/11/sbin/pfctl

[Kristof Provost]

Author: kp
Date: Thu Apr  2 18:37:15 2020
New Revision: 359573
URL: https://svnweb.freebsd.org/changeset/base/359573

Log:
  MFC r359130:
  
  pfctl: improve rule load times with thousands of interfaces
  
  r343287 / D18759 introduced ifa_add_groups_to_map() which is now run by
  ifa_load/ifa_lookup/host_if. When loading an anchor or ruleset via pfctl that
  does NOT contain ifnames as hosts, host() still ends up iterating all
  interfaces twice, grabbing SIOCGIFGROUP ioctl twice for each. This adds an
  unnecessary amount of time on systems with thousands or tens of thousands of
  interfaces.
  
  Prioritize the IPv4/6 check over the interface name lookup, which skips loading
  the iftab and iterating all interfaces when the configuration does not contain
  interface names.
  
  Submitted by:	Nick Rogers
  Sponsored by:	RG Nets

Modified:
  stable/11/sbin/pfctl/pfctl_parser.c
Directory Properties:
  stable/11/   (props changed)

Modified: stable/11/sbin/pfctl/pfctl_parser.c
==============================================================================
--- stable/11/sbin/pfctl/pfctl_parser.c	Thu Apr  2 18:32:44 2020	(r359572)
+++ stable/11/sbin/pfctl/pfctl_parser.c	Thu Apr  2 18:37:15 2020	(r359573)
@@ -1465,16 +1465,17 @@ host(const char *s)
 		mask = -1;
 	}
 
-	/* interface with this name exists? */
-	if (cont && (h = host_if(ps, mask)) != NULL)
-		cont = 0;
-
 	/* IPv4 address? */
 	if (cont && (h = host_v4(s, mask)) != NULL)
 		cont = 0;
 
 	/* IPv6 address? */
 	if (cont && (h = host_v6(ps, v6mask)) != NULL)
+		cont = 0;
+
+	/* interface with this name exists? */
+	/* expensive with thousands of interfaces - prioritze IPv4/6 check */
+	if (cont && (h = host_if(ps, mask)) != NULL)
 		cont = 0;
 
 	/* dns lookup */