* Geoff Steckel <g...@oat.com> [2010-08-08 22:47]: > On 08/08/2010 03:28 PM, Henning Brauer wrote: > >* Geoff Steckel<g...@oat.com> [2010-08-08 20:29]: > >>Your pf.conf should only hold state on one side. Multiple conflicting > >>state table entries for the same connection ensure flaky failures. > > > >that is wrong in so many ways. > > > >first, "should only hold state on one side" is bullshit advice. > >holding state on both sides is absolutely fine. wether it is a good > >idea depends on a number of factors. it never really hurts. > > > >second, these state table entries will never ever "collide". > >i may recommend a read here: > >http://bulabula.org/papers/2009/eurobsdcon-faster_packets/ > >especially slides 40 to 50 > > > I'm saying what has worked for me. > > The state code has changed a lot since I did my last big > set of tests. If states are truly unified between input > and output interfaces, then the correct objection is: > > "States found on any interface are reused quickly on > all interfaces" > > The documentation is not terribly clear about that.
you have no idea what you are talking about, that part is clear. the above statements make no sense at all. we don't need to document the inner workings of the state table. there is no need for a user to know the details, at all. and if he wants to, there's the code. and my slides. > I'm still a bit dubious about handling late FINs and other > legal packets which the older PF code needed extra help > to dispose correctly. i have no idea what you are talking about. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting
