|
| Re: FairQ ALTQ for PF - Patch #2 |
 |
Mon, 7 Apr 2008 08:05:32 -0700 |
:Yes, quoting http://www.openbsd.org/faq/pf/filter.html:
:
:In OpenBSD 4.1 and later, the default flags S/SA are applied to all TCP
:filter rules.
:
:Since OpenBSD 4.1, "keep state" is also the default.
:
:Cedric
I found the code. NetBSD hasn't seemed to have adopted that change.
I'm not sure I want to adopt the keep state by default on pass
rules but S/SA clearly must be adopted and its default modified by
the new options (i.e. S/SA set by default (also for 'nopickups'),
and not set if 'pickups' or 'hashonly' since we want to pickup the
stream in the middle for the latter two.
Some of this stuff is starting to look a little overboard. I can see
having keep state on as a default if it didn't have such an adverse
effect on existing TCP streams on reboot, but it does and because it
does I don't think I want it turned on as a default in DragonFly.
Or, alternatively, we could turn it on by default in DragonFly but
as 'hashonly' unless a keep state directive is explicitly specified
in the rule. But then issues pop up where the administrator might not
have wanted keep state for everything due to extreme volumes and doing
that could blow out the areas he DID want keep state on. So, right now,
I'm inclined not to turn on keep state by default if it isn't specified
in the rule.
-Matt
Matthew Dillon
|
| Post Reply
|
| Re: FairQ ALTQ for PF - Patch #2 |
 |
Mon, 07 Apr 2008 15:09:58 +020 |
Matthew Dillon wrote:
> :...
> :could even do modulate state or synproxy state as long as you see the
> :initial SYN. If not, you fall back to creating a reduced state. This
> :option would, of course, also have a setting where it would always just
> :create a reduced state and be done with it.
> :
> :As for the name ... maybe, 'extra-tcp-state' with a possible setting
> :of 'on' (default), 'off' and 'force-off' or something like that. This
> :could also be a global setting similar to the timeouts which can also be
> :set on a per-rule basis.
> :
> :\ / Max Laier | ICQ #67774661
>
> I came across an interesting item. I believe (but I'm not entirely
> sure if I am correct) that NetBSD implies S/SA for TCP keep
> state and it no longer needs to be specified in the rule. Is this
> correct?
Yes, quoting http://www.openbsd.org/faq/pf/filter.html:
In OpenBSD 4.1 and later, the default flags S/SA are applied to all TCP
filter rules.
Since OpenBSD 4.1, "keep state" is also the default.
|
| Post Reply
|
|
|
|
|
|
|
|
|
|