Re: FairQ ALTQ for PF - Patch #2

view
thread

!MAILaRCHIVE_VOTE_RePLACE

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]

[view in full thread]

From: Max Laier <max@...>

To: <kernel@...>

Subject: Re: FairQ ALTQ for PF - Patch #2

Date: Monday, April 7, 2008 - 11:53 am

On Monday 07 April 2008 17:05:32 Matthew Dillon wrote:
quoted text> :Yes, quoting http://www.openbsd.org/faq/pf/filter.html:
> :
> :In OpenBSD 4.1 and later, the default flags S/SA are applied to all
> : TCP filter rules.
> :
> :Since OpenBSD 4.1, "keep state" is also the default.
> :
> :Cedric
>
>     I found the code.  NetBSD hasn't seemed to have adopted that
> change.
>
>     I'm not sure I want to adopt the keep state by default on pass
>     rules but S/SA clearly must be adopted and its default modified by
>     the new options (i.e. S/SA set by default (also for 'nopickups'),
>     and not set if 'pickups' or 'hashonly' since we want to pickup the
>     stream in the middle for the latter two.

You will want this change, too:
http://www.freebsd.org/cgi/cvsweb.cgi/src/sys/contrib/pf/net/pf.c#rev1.51
if you turn on "flags S/SA" by default.

quoted text>     Some of this stuff is starting to look a little overboard.  I can
> see having keep state on as a default if it didn't have such an adverse
> effect on existing TCP streams on reboot, but it does and because it
> does I don't think I want it turned on as a default in DragonFly.
>
>     Or, alternatively, we could turn it on by default in DragonFly but
>     as 'hashonly' unless a keep state directive is explicitly specified
>     in the rule.  But then issues pop up where the administrator might
> not have wanted keep state for everything due to extreme volumes and
> doing that could blow out the areas he DID want keep state on.  So,
> right now, I'm inclined not to turn on keep state by default if it
> isn't specified in the rule.

Note that processing the ruleset is *really* expensive.  Keep state 
whereever, whenever you can.  I agree that the tcp checking is a bit 
overzealous, but not keeping state at all is not a good idea.

I don't know what the most reasonable default is, but offering a way to 
switch off the extended tcp checking is certainly a good thing.  I think 
I will take this to FreeBSD sooner or later, but will keep conservative 
defaults.  i.e. "flags S/SA keep state (nopickups)" in your current 
proposed naming.

-- 
/"\  Best regards,                      | mlaier@freebsd.org
\ /  Max Laier                          | ICQ #67774661
 X   http://pf4freebsd.love2party.net/  | mlaier@EFnet
/ \  ASCII Ribbon Campaign              | Against HTML Mail and News

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]

Messages in current thread:

Re: FairQ ALTQ for PF - Patch #2, Matthew Dillon, (Mon Apr 7, 11:05 am)

Re: FairQ ALTQ for PF - Patch #2, Simon 'corecode' Schubert..., (Mon Apr 7, 11:51 am)

Re: FairQ ALTQ for PF - Patch #2, Max Laier, (Mon Apr 7, 11:53 am)

Navigation

Popular discussions


linux-kernel:
debian developer	Re: Dual-Licensing Linux Kernel with GPL V2 and GPL V3
Greg Kroah-Hartman	[PATCH 002/196] Chinese: rephrase English introduction in HOWTO
Linus Torvalds	Re: Long delay in resume from RAM (Was Re: [patch 00/69] -stablereview)
Parag Warudkar	BUG: soft lockup - CPU#1 stuck for 15s! [swapper:0]
git:

linux-netdev:
Andi Kleen	[PATCH RFC] [4/9] modpost: Fix format string warnings
Rick Jones	Re: Network latency regressions from 2.6.22 to 2.6.29
Antonio Almeida	HTB accuracy for high speed
Gerrit Renker	[PATCH 27/37] dccp: Integration of dynamic feature activation - part 2 (server side)
openbsd-misc:

Colocation donated by:

Online users

janel105

Syndicate