FairQ ALTQ for PF - Patch #2

Matthew Dillon dillon at apollo.backplane.com
Sun Apr 6 18:30:36 PDT 2008


:>     (1) I'm using keep state, not synproxy.  Is PF still attempting to
:> do window sequence space comparisons and dropping packets if they do
:> not match?  If it is, do you know where in the code that is
:> 	(I've been staring at it a while trying to find just such a
:> 	comparison but not having a whole lot of luck).
:
:See the attached forward from the pf mailinglist.  The referenced paper is 
:a good read, too.

    (reading that right now)

:> 	and it drops some of its state, won't those flows wind up being
:> 	left out of the state code from that point on?  They would not be
:> 	identifiable to the fairq code, then, which would be a fairly
:> 	significant problem.
:
:Usually you won't drop active states.  You'd simply time them out more 
:aggressively (see adaptive.{start,end} in pf.conf(5) if your version has 
:that already) or not allow a new state to be created.
:...
:It really depends on what you want to achieve.  If you are after security 
:for a network of clients with bad/broken TCP stacks then leaving out the 
:window checks is not a good idea.  I can see that there are cases where 
:you'd want to check only the (src,dst,proto)-tuple and pass every 
:matching packet regardless.  Currently pf doesn't allow for this to 
:happen statefully and I don't think OpenBSD is going to make that change, 
:ever.  If you think of pf as a security first and foremost mechanism this 
:makes sense.  I'm also somewhat reluctant to make that change in FreeBSD, 
:otoh there are cases where you'd want that rope.
:
:-- 
:/"\  Best regards,                      | mlaier at freebsd.org
:\ /  Max Laier                          | ICQ #67774661

    Yah, we have the adaptive.start/end stuff.  I think I have a pretty
    good handle on the issues now.   I understand NetBSD's viewpoint on
    connection tracking. 

    But for my own network I am extremely uncomfortable allowing a router
    to drop a good TCP connection, and even more uncomfortable having the
    router control timeouts considering that the only way to overcome such
    a situation in the face of overload would be to drop the keepalive
    timeouts on all my machines down to fairly small values.  I don't want
    a reboot of my router to blow up the several hundred active TCP
    connections from half a dozen servers that are running through it.

    At the same time I really want to use the keep-state mechanic to serve
    as a basis for caching that hash code for my fairq.  I don't want to
    roll my own like the WFQ code does... that would be a massive duplication
    of work.

    I think the solution is to add another flavor of keep state that
    is explicitly meant for use with fairq (or fairq-like) mechanisms,
    or for middle-of-network routing (verses edge routing), which want
    that hash code or want some sort of identification entity for flows.

    If I create a 'hash state' keyword that would be fairly obvious
    in its function.  It would basically operate the same as keep state,
    but explicitly omit any checks which cannot be done if the state is
    picked up in the middle of the connection.

    I definitely want to make fairq portable to other OS's.  What do you
    think about a 'hash state' keyword?  From a coding perspective it's 
    a little work in parse.y and maybe three or four conditionals in the
    TCP state code (to omit the sequence space checks for that case).

						-Matt






More information about the Kernel mailing list