On Wednesday 31 October 2007 13:52:15 Stuart Henderson wrote: > On 2007/10/31 14:02, Guntis Bumburs wrote: > > It would be nice if there was a knob to mark some rules "skip on high load" so > > they would be skipped to avoid congestion. > > So, when the system is already busy, it has to do extra processing > to figure out which rules to use? Hmmmm... Maybe it could be added in rule like: pass in log quick "this_rule_can_be_skipped" on $ext_if proto tcp .... so if the system is busy pf can skip all the rules (or 1 by 1 ) witch contains "this_rule_can_be_skipped" option?
> > > I suspected the rule marked with "Y" because table <mycountry> contains hole > > country aggregated IP's list > > Tables are quite low-overhead. Already using. <mycountry> is a table with 172 CIDRs > > > Had to take out rule "X" and no more sign of congestion > > scrub in X > > Well, scrub is a relatively expensive operation, but without it > you can't rely on end hosts processing packets the same way as PF > sees them (for example, different OS handle overlapping fragments > in different ways, and this ambiguity can be used to bypass your > firewall). After total reorganization and optimization of ruleset i managed to keep scrub in rule. Well i will see it tomorrow if there were congestions... > > If you didn't already bump net.inet.ip.ifq.maxlen, doing so Aleady done; net.inet.ip.ifq.len=0 net.inet.ip.ifq.maxlen=256 net.inet.ip.ifq.drops=179493 (how to reset this counter without restarting?) it went up when i was testing statefull vs stateless. and had default maxlen value. Now it seems stopped ... for now it seems that stateless for some rules is better than all rules statefull. if someone is interested i can post my pf.conf its a core router for midsize ISP. Runs BGP and pf. > should help a lot. But, for sure, make the 4.2 upgrade a priority. > > -- Best Regards, Guntis Bumburs Rixtel, SIA 29251044 67504856
