FairQ ALTQ for PF - Patch #2
Matthew Dillon
dillon at apollo.backplane.com
Mon Apr 7 08:10:24 PDT 2008
:Yes, quoting http://www.openbsd.org/faq/pf/filter.html:
:
:In OpenBSD 4.1 and later, the default flags S/SA are applied to all TCP
:filter rules.
:
:Since OpenBSD 4.1, "keep state" is also the default.
:
:Cedric
I found the code. NetBSD hasn't seemed to have adopted that change.
I'm not sure I want to adopt the keep state by default on pass
rules but S/SA clearly must be adopted and its default modified by
the new options (i.e. S/SA set by default (also for 'nopickups'),
and not set if 'pickups' or 'hashonly' since we want to pickup the
stream in the middle for the latter two.
Some of this stuff is starting to look a little overboard. I can see
having keep state on as a default if it didn't have such an adverse
effect on existing TCP streams on reboot, but it does and because it
does I don't think I want it turned on as a default in DragonFly.
Or, alternatively, we could turn it on by default in DragonFly but
as 'hashonly' unless a keep state directive is explicitly specified
in the rule. But then issues pop up where the administrator might not
have wanted keep state for everything due to extreme volumes and doing
that could blow out the areas he DID want keep state on. So, right now,
I'm inclined not to turn on keep state by default if it isn't specified
in the rule.
-Matt
Matthew Dillon
<dillon at backplane.com>
More information about the Kernel
mailing list