[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Optimizations for udp/icmp
On Mon, 2002-11-18 at 13:43, Mike Frantzen wrote:
> > I took a moment to peruse the pfctl.c code for the tcp settings for each
> > of the various optimization topographies (normal, aggressive, etc.). Do
> > these attempt to set any of the udp or icmp timeout settings (first,
> > single, multiple, error)? I can't find anything in the pf.conf manpage
> > or source to suggest they do.
> Nope. I didn't have enough real world data to calculate optimal
> timeouts. A university (can't remember if I'm allowed to name them or
> not so I won't) gave me 20-30 gigs of captured TCP headers to help
> optimize our TCP state code.
> Optimizing the state timeouts for UDP is much more complex. With TCP,
> the dynamics are determined by the links and the OSes involved. TCP
> lends itself well to applying the same timeouts to every rule. But with
> UDP, the type of application is far more important. Ie, the timeout
> information for DNS would be totally different from TFTP or NFS. UDP
> really need per-port timeouts set by the optimization level. I can't
> think of an easy way to apply that in PF outside of using the
> optimization level to create pre-defined timeout macros which the user
> can add to the UDP rules.
> I could probabley hack up a little PCAP utility to profile your UDP
> traffic and let it calculate a distribution of timeouts. But I have
> very little free hacking time and I'm not sure there is enough demand.
That's ok, I'm just trying to absorb as much information about PF as I
can. No stone left unturned, don'tcha know. :)