[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Optimizations for udp/icmp

On Mon, 2002-11-18 at 13:43, Mike Frantzen wrote:
> > I took a moment to peruse the pfctl.c code for the tcp settings for each
> > of the various optimization topographies (normal, aggressive, etc.).  Do
> > these attempt to set any of the udp or icmp timeout settings (first,
> > single, multiple, error)?  I can't find anything in the pf.conf manpage
> > or source to suggest they do.
> Nope.  I didn't have enough real world data to calculate optimal
> timeouts.  A university (can't remember if I'm allowed to name them or
> not so I won't) gave me 20-30 gigs of captured TCP headers to help
> optimize our TCP state code.
> Optimizing the state timeouts for UDP is much more complex.  With TCP,
> the dynamics are determined by the links and the OSes involved.  TCP
> lends itself well to applying the same timeouts to every rule.  But with
> UDP, the type of application is far more important.  Ie, the timeout
> information for DNS would be totally different from TFTP or NFS.  UDP
> really need per-port timeouts set by the optimization level.  I can't
> think of an easy way to apply that in PF outside of using the
> optimization level to create pre-defined timeout macros which the user
> can add to the UDP rules.
> I could probabley hack up a little PCAP utility to profile your UDP
> traffic and let it calculate a distribution of timeouts.  But I have
> very little free hacking time and I'm not sure there is enough demand.
That's ok, I'm just trying to absorb as much information about PF as I
can.  No stone left unturned, don'tcha know.  :)