Parsing/Loading pf.conf took some time after Upgrade from 8.2 to 9.0

[saznik]

Hi guys,

I already upgraded some of my FreeBSD Firewalls from 8.2 to 9.0-RELEASE-p4. Know I got maybe a problem with one machine. It took about 15 seconds to parse or load the pf.conf with pfctl. Before the upgrade I hit return and the rulset was parsed or loaded immediately. On my other upgraded Firewalls the rules are parsed or loaded just after hitting the button.

Know the dumb question is this a problem?

Output from pfctl -s info:

No ALTQ support in kernel
ALTQ related functions disabled
Status: Enabled for 1 days 21:35:06           Debug: Urgent

State Table                          Total             Rate
  current entries                     4437
  searches                       501610758         3056.6/s
  inserts                          8391531           51.1/s
  removals                         8387094           51.1/s
Counters
  match                            8496867           51.8/s
  bad-offset                             0            0.0/s
  fragment                               0            0.0/s
  short                                  0            0.0/s
  normalize                              0            0.0/s
  memory                                 0            0.0/s
  bad-timestamp                          0            0.0/s
  congestion                             0            0.0/s
  ip-option                              0            0.0/s
  proto-cksum                            0            0.0/s
  state-mismatch                      1028            0.0/s
  state-insert                           0            0.0/s
  state-limit                            0            0.0/s
  src-limit                              0            0.0/s
  synproxy                               0            0.0/s

 

[notserpmh]

I've just run in this as well. The cause is seems is that in the newer version of pf in FreeBSD 9 has ruleset-optimization set to basic by default. You can turn it off by putting

set ruleset-optimization none

at the top of your pf.conf or passing it on the command line:

http://www.openbsd.org/faq/pf/options.html

That said, I wouldn't mind the optimization, but mine takes even longer. Part of the reason is my own fault, being tired of the same countries trying to hack in or overload our network (countries we don't do business with) I created a lot of block quick rules to block entire IP blocks. I know it likely isn't ideal, but we have run that way for a while and it actually is kind of nice. No complaints and less hacking traffic to deal with.

Anyway, you can either wait it out and let the ruleset be optimized or turn that option off.

 

[saznik]

Thanks for the tip!

When I disable the ruleset-optimization the rules loaded instantly. It's too bad that the freebsd Man pages say nothing about the parameters for pf.conf. I will read a bit more about that feature in OpenBSD Manual. Maybe I let the option enabled to get "optimized" rules

 

[notserpmh]

A tip I found was to take your current ruleset, then do

pftcl -vnf /etc/pf.conf


with the optimization on. Let it take a while to run. The output will be your optimized ruleset. With this, you have a couple of options. You could do something like

pftcl -vnf /etc/pf.conf > /etc/pf.conf.new

then mv your pf.conf.new to pf.conf, making your ruleset the pre-optimized one (making it run through a reload very quickly) or make up some kind of script that takes your original ruleset that you maintain and comment, create an optimized one, then put that in the "in use" space and reload based on it. The main downside to the output of the command above is that you lose any comments you might have had.

In my case, I had a lot of block one liners and it was coverting them into tables. I just switched out those sections in my ruleset and now they load with the optimization enabled almost instantly.