Date: Wed, 27 Aug 2008 12:29:38 -0700 From: Jeremy Chadwick <koitsu@FreeBSD.org> To: Michal Buchtik <buchtajz@borsice.net> Cc: freebsd-pf <freebsd-pf@freebsd.org> Subject: Re: ALTQ and shaping an existing session Message-ID: <20080827192938.GA1711@icarus.home.lan> In-Reply-To: <1219864968.1536.14.camel@manwe.buchtikov.borsice.sfn> References: <64de5c8b0808270347p2d8cf9ccydd63cae3b1ea6a14@mail.gmail.com> <1219864968.1536.14.camel@manwe.buchtikov.borsice.sfn>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Aug 27, 2008 at 09:22:48PM +0200, Michal Buchtik wrote: > Rajkumar S pí??e v st 27. 08. 2008 v 16:17 +0530: > > The problem is that even when a new ip is added to or removed from > > <badguys> already existing sessions from the newly added ip continues > > to have previous shaping configuration. All new sessions are shaped as > > expected. I have tried rules without "keep state", but results are the > > same. Is this the expected behavior of pf? Can the shaping be > > performed for existing sessions also when an ip is added to <badguys>? > > I have same problem. The only way I found is kill existing states of > affected ip's. But this is uncomfortable for users. Is there another > solution? It sounds like the root of this problem is that "flags S/SA" is implicit on RELENG_7 for TCP rules. "keep state" is also implicit (on TCP, UDP, and ICMP rules). The only solutions I see, both of which have consequences: 1) Use "flags any", but this *is not* something you would want to use in conjunction with "keep state", since you only want to cause pf to begin tracking state when SYN of SYN+ACK is set, and not on FIN, RST, or other combinations. There is probably some combination of rules you could set up which could utilise "flags any" correctly, but the risks are high. 2) Add "no state" to rules you want shaping to occur on. This has the added drawback of pf not being able to keep track of state on such packets (performance hit), and you'll need to tune your pf rules to match on traffic going both directions (since there's no longer a state kept) Max, does this sound correct? -- | Jeremy Chadwick jdc at parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, USA | | Making life hard for others since 1977. PGP: 4BD6C0CB |
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20080827192938.GA1711>