Date: Thu, 22 Feb 2007 23:45:06 +0100 From: J65nko <j65nko@gmail.com> To: freebsd-questions@freebsd.org Cc: RW <fbsd06@mlists.homeunix.com> Subject: Re: PF slowing down file copies Message-ID: <19861fba0702221445r3124eecbq852d774d0ed4e479@mail.gmail.com> In-Reply-To: <20070222143030.0b858e86@gumby.homeunix.com> References: <200702202021.55723.pablo.fernandez@rs.com.ar> <19861fba0702211038p3144271ey1e30cf67311678ef@mail.gmail.com> <20070222143030.0b858e86@gumby.homeunix.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 2/22/07, RW <fbsd06@mlists.homeunix.com> wrote: > On Wed, 21 Feb 2007 19:38:39 +0100 > J65nko <j65nko@gmail.com> wrote: > > > For keeping state on TCP connections you should only create state on > > the first packet of the 3 way TCP handshake. Using "flags S/SA" will > > ensure this. This will prevent problems with TCP windows scaling.. > > Why? Creating a state entry causes subsequent packets, in the same tcp > connection, to bypass the rules altogether. > The OP did not keep state on TCP connections using "flags S/SA". That can cause problems for TCP window scaling (defined in RFC 1323) and result in stalling connections. >From http://undeadly.org/cgi?action=article&sid=20060928081238 under "Create TCP states on the initial SYN packet" ----------- quote ------------------------------ pf does know about window scaling and supports it. However, the prerequisite is that you create state on the initial SYN, so pf can associate the first two packets of the handshake with the state entry. Since the entire negotiation of the window scaling factors takes place only in these two packets, there is no reliable way to deduce the factors after the handshake. Window scaling wasn't widely used in the past, but this is changing rapidly. Just recently, Linux started using window scaling by default. If you experience stalling connections, especially when problems are limited to certain combinations of hosts, and you see 'BAD state' messages related to these connections logged, verify that you're really creating states on the initial packet of a connection. ---------- end of quote ------------------- To prevent these TCP windows scaling issues, the current pf version of OpenBSD-4.1 BETA defaults to "flags S/SA keep state" for TCP pass rules. Don't know when this feature will make it into FreeBSD ;) Other issues the OP should look into are the optimizing tips given in http://undeadly.org/cgi?action=article&sid=20060927091645 Adriaan
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19861fba0702221445r3124eecbq852d774d0ed4e479>