[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Optimizations for udp/icmp

> I took a moment to peruse the pfctl.c code for the tcp settings for each
> of the various optimization topographies (normal, aggressive, etc.).  Do
> these attempt to set any of the udp or icmp timeout settings (first,
> single, multiple, error)?  I can't find anything in the pf.conf manpage
> or source to suggest they do.
Nope.  I didn't have enough real world data to calculate optimal
timeouts.  A university (can't remember if I'm allowed to name them or
not so I won't) gave me 20-30 gigs of captured TCP headers to help
optimize our TCP state code.
Optimizing the state timeouts for UDP is much more complex.  With TCP,
the dynamics are determined by the links and the OSes involved.  TCP
lends itself well to applying the same timeouts to every rule.  But with
UDP, the type of application is far more important.  Ie, the timeout
information for DNS would be totally different from TFTP or NFS.  UDP
really need per-port timeouts set by the optimization level.  I can't
think of an easy way to apply that in PF outside of using the
optimization level to create pre-defined timeout macros which the user
can add to the UDP rules.
I could probabley hack up a little PCAP utility to profile your UDP
traffic and let it calculate a distribution of timeouts.  But I have
very little free hacking time and I'm not sure there is enough demand.