FairQ ALTQ for PF - Patch #2

Matthew Dillon dillon at apollo.backplane.com
Mon Apr 7 10:02:30 PDT 2008


:You will want this change, too:
:http://www.freebsd.org/cgi/cvsweb.cgi/src/sys/contrib/pf/net/pf.c#rev1.51
:if you turn on "flags S/SA" by default.

    Done, thank you!  Initial patch set will be posted in follow-up in
    just a sec.

:Note that processing the ruleset is *really* expensive.  Keep state 
:whereever, whenever you can.  I agree that the tcp checking is a bit 
:overzealous, but not keeping state at all is not a good idea.
:
:I don't know what the most reasonable default is, but offering a way to 
:switch off the extended tcp checking is certainly a good thing.  I think 
:I will take this to FreeBSD sooner or later, but will keep conservative 
:defaults.  i.e. "flags S/SA keep state (nopickups)" in your current 
:proposed naming.
:
:-- 
:/"\  Best regards,                      | mlaier at freebsd.org
:\ /  Max Laier                          | ICQ #67774661

    Yes, I see the reasoning behind keep state.  If keep state were on
    by default, though, I think I'd want it to be pickups rather then
    no-pickups.  I just can't wrap my head around it blowing up TCP
    connections.  However, if one explicitly specified a keep state
    directive for a rule, I agree the default should be no-pickups.

						-Matt






More information about the Kernel mailing list