Home » Mailing list archives » dragonflybsd-kernel » 2008 » April » 7

Re: FairQ ALTQ for PF - Patch #2

Previous thread: Re: Testing monotonic clock by Matthew Dillon on Monday, April 7, 2008 - 7:39 am. (2 messages)

Next thread: Re: FairQ ALTQ for PF - Patch #2 by Matthew Dillon on Monday, April 7, 2008 - 9:57 am. (1 message)
[view original message]
From: Matthew Dillon
Subject: Re: FairQ ALTQ for PF - Patch #2
Date: Monday, April 7, 2008 - 8:05 am

I found the code.  NetBSD hasn't seemed to have adopted that change.

    I'm not sure I want to adopt the keep state by default on pass
    rules but S/SA clearly must be adopted and its default modified by
    the new options (i.e. S/SA set by default (also for 'nopickups'),
    and not set if 'pickups' or 'hashonly' since we want to pickup the
    stream in the middle for the latter two.

    Some of this stuff is starting to look a little overboard.  I can see
    having keep state on as a default if it didn't have such an adverse
    effect on existing TCP streams on reboot, but it does and because it
    does I don't think I want it turned on as a default in DragonFly.  

    Or, alternatively, we could turn it on by default in DragonFly but
    as 'hashonly' unless a keep state directive is explicitly specified
    in the rule.  But then issues pop up where the administrator might not
    have wanted keep state for everything due to extreme volumes and doing
    that could blow out the areas he DID want keep state on.  So, right now,
    I'm inclined not to turn on keep state by default if it isn't specified
    in the rule.

					-Matt
					Matthew Dillon 
					<dillon@backplane.com>

[ message continues ]
[view original message]
From: Max Laier
Subject: Re: FairQ ALTQ for PF - Patch #2
Date: Monday, April 7, 2008 - 8:53 am

You will want this change, too:
http://www.freebsd.org/cgi/cvsweb.cgi/src/sys/contrib/pf/net/pf.c#rev1.51

Note that processing the ruleset is *really* expensive.  Keep state 
whereever, whenever you can.  I agree that the tcp checking is a bit 
overzealous, but not keeping state at all is not a good idea.

I don't know what the most reasonable default is, but offering a way to 
switch off the extended tcp checking is certainly a good thing.  I think 
I will take this to FreeBSD sooner or later, but will keep conservative 
defaults.  i.e. "flags S/SA keep state (nopickups)" in your current 
proposed naming.

-- 
/"\  Best regards,                      | mlaier@freebsd.org
\ /  Max Laier                          | ICQ #67774661
 X   http://pf4freebsd.love2party.net/  | mlaier@EFnet
/ \  ASCII Ribbon Campaign              | Against HTML Mail and News

[ message continues ]
[view original message]
From: Simon 'corecode' Schubert
Subject: Re: FairQ ALTQ for PF - Patch #2
Date: Monday, April 7, 2008 - 8:51 am

I concur.  Keep state should be explicit.  Furthermore, I don't expect
keep state not to work across reboots.  That's why I then write keep
state flags S/SA.  Something clearly need to be untangled here.  Keep
state should keep state as good as possible, but not reject connections.

cheers
  simon


[ message continues ]
Previous thread: Re: Testing monotonic clock by Matthew Dillon on Monday, April 7, 2008 - 7:39 am. (2 messages)

Next thread: Re: FairQ ALTQ for PF - Patch #2 by Matthew Dillon on Monday, April 7, 2008 - 9:57 am. (1 message)