FairQ ALTQ for PF - Patch #3
Matthew Dillon
dillon at apollo.backplane.com
Wed Apr 9 11:31:12 PDT 2008
Ok, here is patch #3. This is the final patch short of bug fixes:
fetch http://apollo.backplane.com/DFlyMisc/pickups03.patch
* Added set keep-policy to set the default stateful inspection policy.
* Removed NetBSD's window scale patch.
After playing with keep state for the last few days I understand now
why OpenBSD made it the default. I wound up having to put it on every
single pass rule I had on my router. However, I continue believe quite
strongly that keep state w/ flags S/SA is an inappropriate default due
to the adverse effect it has on pre-existing TCP connections, so I
wanted to come up with a solution that would be acceptable to projects
that might have a different opinion.
I came up with set keep-policy in your pf.conf. For example:
set keep-policy keep state (pickups)
This will cause all pass rules to use the specified policy by default,
so it does not have to be specified for each rule.
The policy can be overriden in each rule. I implemented the OpenBSD
'no keep' feature as well so it can also be turned off. I did not
see a similar feature to my 'set keep-policy' in OpenBSD.
I think this is the best solution. This way the fact that stateful
inspection is being used is explicitly specified in the pf.conf,
which should satisfy everyone, plus additional features such
as 'pickups' can be specified cleanly.
Unless something comes up I am going to commit this to DragonFly
on Friday and call it done. I would be pleased if other projects
picked up some or all of the work. Max, if you make fixes or further
enhancements to this for any porting you do to FreeBSD could you give
me a heads up? I'd like to keep them in sync at least for a little
while.
-Matt
More information about the Kernel
mailing list