Tables (cont.)

lookups are cheap, even for huge tables
radix tree allows netblocks and negation:

10.1.2.3
10.2.0.0/16
! 10.2.3.4
! 10.2.4.0/24

closest match wins, algorithm shared with routing table
tables can be used as any source or destination address, including translation rules, {} lists, with anchors.
manipulation of tables through pfctl without reloading any rules (e.g. from scripts)