Date: Thu, 22 Feb 2007 17:04:18 +0200 From: Giorgos Keramidas <keramida@ceid.upatras.gr> To: RW <fbsd06@mlists.homeunix.com> Cc: freebsd-questions@freebsd.org Subject: Re: PF slowing down file copies Message-ID: <20070222150418.GA3298@kobe.laptop> In-Reply-To: <20070222143030.0b858e86@gumby.homeunix.com> References: <200702202021.55723.pablo.fernandez@rs.com.ar> <19861fba0702211038p3144271ey1e30cf67311678ef@mail.gmail.com> <20070222143030.0b858e86@gumby.homeunix.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 2007-02-22 14:30, RW <fbsd06@mlists.homeunix.com> wrote: >On Wed, 21 Feb 2007 19:38:39 +0100 >J65nko <j65nko@gmail.com> wrote: >> For keeping state on TCP connections you should only create state on >> the first packet of the 3 way TCP handshake. Using "flags S/SA" will >> ensure this. This will prevent problems with TCP windows scaling.. > > Why? Creating a state entry causes subsequent packets, in the same tcp > connection, to bypass the rules altogether. Because a state entry is a rule by itself. A special 'rule', but still a rule. As such, each state-table entry requires a finite amount of resources. Conserving resources, whenever possible, is a good idea. Creating 10 packets for a connection whose 'traffic' requires 10 TCP segments to be transmitted, and 9000 state entries for a TCP connection whose data payload needs 9000 segments to be transmitted is kind of silly. Especially since it is entirely legal and easy to do the same thing with only 2 state entries (one for each connection).
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20070222150418.GA3298>