FairQ ALTQ for PF - Patch #2

Max Laier max at love2party.net
Mon Apr 7 09:01:13 PDT 2008


On Monday 07 April 2008 17:05:32 Matthew Dillon wrote:
> :Yes, quoting http://www.openbsd.org/faq/pf/filter.html:
> :
> :In OpenBSD 4.1 and later, the default flags S/SA are applied to all
> : TCP filter rules.
> :
> :Since OpenBSD 4.1, "keep state" is also the default.
> :
> :Cedric
>
>     I found the code.  NetBSD hasn't seemed to have adopted that
> change.
>
>     I'm not sure I want to adopt the keep state by default on pass
>     rules but S/SA clearly must be adopted and its default modified by
>     the new options (i.e. S/SA set by default (also for 'nopickups'),
>     and not set if 'pickups' or 'hashonly' since we want to pickup the
>     stream in the middle for the latter two.

You will want this change, too:
http://www.freebsd.org/cgi/cvsweb.cgi/src/sys/contrib/pf/net/pf.c#rev1.51
if you turn on "flags S/SA" by default.

>     Some of this stuff is starting to look a little overboard.  I can
> see having keep state on as a default if it didn't have such an adverse
> effect on existing TCP streams on reboot, but it does and because it
> does I don't think I want it turned on as a default in DragonFly.
>
>     Or, alternatively, we could turn it on by default in DragonFly but
>     as 'hashonly' unless a keep state directive is explicitly specified
>     in the rule.  But then issues pop up where the administrator might
> not have wanted keep state for everything due to extreme volumes and
> doing that could blow out the areas he DID want keep state on.  So,
> right now, I'm inclined not to turn on keep state by default if it
> isn't specified in the rule.

Note that processing the ruleset is *really* expensive.  Keep state 
whereever, whenever you can.  I agree that the tcp checking is a bit 
overzealous, but not keeping state at all is not a good idea.

I don't know what the most reasonable default is, but offering a way to 
switch off the extended tcp checking is certainly a good thing.  I think 
I will take this to FreeBSD sooner or later, but will keep conservative 
defaults.  i.e. "flags S/SA keep state (nopickups)" in your current 
proposed naming.

-- 
/"\  Best regards,                      | mlaier at freebsd.org
\ /  Max Laier                          | ICQ #67774661
 X   http://pf4freebsd.love2party.net/  | mlaier at EFnet
/ \  ASCII Ribbon Campaign              | Against HTML Mail and News





More information about the Kernel mailing list