On 08/08/2010 03:28 PM, Henning Brauer wrote:
* Geoff Steckel<g...@oat.com> [2010-08-08 20:29]:
Your pf.conf should only hold state on one side. Multiple conflicting
state table entries for the same connection ensure flaky failures.
that is wrong in so many ways.
first, "should only hold state on one side" is bullshit advice.
holding state on both sides is absolutely fine. wether it is a good
idea depends on a number of factors. it never really hurts.
second, these state table entries will never ever "collide".
i may recommend a read here:
http://bulabula.org/papers/2009/eurobsdcon-faster_packets/
especially slides 40 to 50
I'm saying what has worked for me.
The state code has changed a lot since I did my last big
set of tests. If states are truly unified between input
and output interfaces, then the correct objection is:
"States found on any interface are reused quickly on
all interfaces"
The documentation is not terribly clear about that.
.
I'm still a bit dubious about handling late FINs and other
legal packets which the older PF code needed extra help
to dispose correctly.
Getting back to the original question, perhaps
skip on $int
would simplify debugging even further?
geoff steckel
curmudgeon for hire
