DragonFly kernel List (threaded) for 2008-04
Re: FairQ ALTQ for PF - Patch #2
On Monday 07 April 2008 17:05:32 Matthew Dillon wrote:
> :Yes, quoting http://www.openbsd.org/faq/pf/filter.html:
> :In OpenBSD 4.1 and later, the default flags S/SA are applied to all
> : TCP filter rules.
> :Since OpenBSD 4.1, "keep state" is also the default.
> I found the code. NetBSD hasn't seemed to have adopted that
> I'm not sure I want to adopt the keep state by default on pass
> rules but S/SA clearly must be adopted and its default modified by
> the new options (i.e. S/SA set by default (also for 'nopickups'),
> and not set if 'pickups' or 'hashonly' since we want to pickup the
> stream in the middle for the latter two.
You will want this change, too:
if you turn on "flags S/SA" by default.
> Some of this stuff is starting to look a little overboard. I can
> see having keep state on as a default if it didn't have such an adverse
> effect on existing TCP streams on reboot, but it does and because it
> does I don't think I want it turned on as a default in DragonFly.
> Or, alternatively, we could turn it on by default in DragonFly but
> as 'hashonly' unless a keep state directive is explicitly specified
> in the rule. But then issues pop up where the administrator might
> not have wanted keep state for everything due to extreme volumes and
> doing that could blow out the areas he DID want keep state on. So,
> right now, I'm inclined not to turn on keep state by default if it
> isn't specified in the rule.
Note that processing the ruleset is *really* expensive. Keep state
whereever, whenever you can. I agree that the tcp checking is a bit
overzealous, but not keeping state at all is not a good idea.
I don't know what the most reasonable default is, but offering a way to
switch off the extended tcp checking is certainly a good thing. I think
I will take this to FreeBSD sooner or later, but will keep conservative
defaults. i.e. "flags S/SA keep state (nopickups)" in your current
/"\ Best regards, | firstname.lastname@example.org
\ / Max Laier | ICQ #67774661
X http://pf4freebsd.love2party.net/ | mlaier@EFnet
/ \ ASCII Ribbon Campaign | Against HTML Mail and News