summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMike Frantzen <frantzen@cvs.openbsd.org>2001-09-30 05:29:38 +0000
committerMike Frantzen <frantzen@cvs.openbsd.org>2001-09-30 05:29:38 +0000
commitcd1bbc15e20497a849d27a13a11724614f49a9ef (patch)
tree11b82e3948100d35b744bb83e3cbb78b29d049b0
parentee120a034efd29acb437910df8d46946305e68c4 (diff)
Selectable preset FSM optimizations for several network environments.
Thanks to everyone who sent me packet captures!
-rw-r--r--sbin/pfctl/pfctl.828
-rw-r--r--sbin/pfctl/pfctl.c85
2 files changed, 109 insertions, 4 deletions
diff --git a/sbin/pfctl/pfctl.8 b/sbin/pfctl/pfctl.8
index 88d25f5b71a..f609ead658f 100644
--- a/sbin/pfctl/pfctl.8
+++ b/sbin/pfctl/pfctl.8
@@ -1,4 +1,4 @@
-.\" $OpenBSD: pfctl.8,v 1.32 2001/09/06 15:04:34 mpech Exp $
+.\" $OpenBSD: pfctl.8,v 1.33 2001/09/30 05:29:37 frantzen Exp $
.\"
.\" Copyright (c) 2001 Kjell Wooding. All rights reserved.
.\"
@@ -36,6 +36,7 @@
.Op Fl F Ar modifier
.Op Fl l Ar interface
.Op Fl N Ar file
+.Op Fl O Ar level
.Op Fl R Ar file
.Op Fl s Ar modifier
.Op Fl t Ar modifier
@@ -107,6 +108,31 @@ option.
Do not actually load rules.
.It Fl N Ar file
Load a NAT rules file.
+.It Fl O Ar modifier
+Optimize the engine to one of the following network topographies or
+environments:
+.Bl -tag -width "O high-latency " -compact
+.It Fl O Ar default
+A normal network environment. Suitable for almost all networks.
+.It Fl O Ar normal
+Alias for
+.Em default
+.It Fl O Ar high-latency
+A high-latency environment (such as a satellite connection)
+.It Fl O Ar satellite
+Alias for
+.Em high-latency
+.It Fl O Ar aggressive
+Aggressively expire connections when they are likely no longer valid. This
+can greatly reduce the memory usage of the firewall at the cost of dropping
+idle connections early.
+.It Fl O Ar conservative
+Extremely conservative settings. Pains will be taken to avoid dropping
+legitimate connections at the expense of greater memory utilization (possibly
+much greater on a busy network) and slightly increased processor utilization.
+.El
+Currently the optimizations only encompass the state table timeouts but much
+more is planned in future revisions of the FSMs.
.It Fl q
Only print errors and warnings.
.It Fl R Ar file
diff --git a/sbin/pfctl/pfctl.c b/sbin/pfctl/pfctl.c
index 29a08b02cad..89781540db8 100644
--- a/sbin/pfctl/pfctl.c
+++ b/sbin/pfctl/pfctl.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pfctl.c,v 1.40 2001/09/22 18:30:11 deraadt Exp $ */
+/* $OpenBSD: pfctl.c,v 1.41 2001/09/30 05:29:37 frantzen Exp $ */
/*
* Copyright (c) 2001 Daniel Hartmeier
@@ -60,6 +60,7 @@ int pfctl_clear_stats(int, int);
int pfctl_clear_rules(int, int);
int pfctl_clear_nat(int, int);
int pfctl_clear_states(int, int);
+int pfctl_hint(int, const char *, int);
int pfctl_show_rules(int, int);
int pfctl_show_nat(int);
int pfctl_show_states(int, u_int8_t);
@@ -74,6 +75,7 @@ int pfctl_debug(int, u_int32_t, int);
int opts = 0;
char *clearopt;
+char *hintopt;
char *logopt;
char *natopt;
char *rulesopt;
@@ -102,6 +104,54 @@ static const struct {
{ "interval", PFTM_INTERVAL },
{ NULL, 0 }};
+struct pf_hint {
+ const char *name;
+ int timeout;
+};
+static const struct pf_hint pf_hint_normal[] = {
+ { "tcp.first", 2 * 60 },
+ { "tcp.opening", 30 },
+ { "tcp.established", 24 * 60 * 60 },
+ { "tcp.closing", 15 * 60 },
+ { "tcp.finwait", 45 },
+ { "tcp.closed", 90 },
+ { NULL, 0}};
+static const struct pf_hint pf_hint_satellite[] = {
+ { "tcp.first", 3 * 60},
+ { "tcp.opening", 30 + 5},
+ { "tcp.closing", 15 * 60 + 5},
+ { "tcp.finwait", 45 + 5},
+ { "tcp.closed", 90 + 5},
+ { NULL, 0}};
+static const struct pf_hint pf_hint_conservative[] = {
+ { "tcp.first", 60 * 60 },
+ { "tcp.opening", 15 * 60 },
+ { "tcp.established", 5 * 24 * 60 * 60 },
+ { "tcp.closing", 60 * 60 },
+ { "tcp.finwait", 10 * 60 },
+ { "tcp.closed", 3 * 60 },
+ { NULL, 0}};
+static const struct pf_hint pf_hint_aggressive[] = {
+ { "tcp.first", 30 },
+ { "tcp.opening", 5 },
+ { "tcp.established", 5 * 60 * 60 },
+ { "tcp.closing", 60 },
+ { "tcp.finwait", 60 },
+ { "tcp.closed", 30 },
+ { NULL, 0}};
+
+static const struct {
+ const char *name;
+ const struct pf_hint *hint;
+} pf_hints[] = {
+ { "normal", pf_hint_normal },
+ { "default", pf_hint_normal },
+ { "satellite", pf_hint_satellite },
+ { "high-latency", pf_hint_satellite },
+ { "conservative", pf_hint_conservative },
+ { "aggressive", pf_hint_aggressive },
+ { NULL, NULL }};
+
void
usage()
{
@@ -109,7 +159,7 @@ usage()
fprintf(stderr, "usage: %s [-dehnqv] [-F set] [-l interface] ",
__progname);
- fprintf(stderr, "[-N file] [-R file] [-s set] [-t set] [-x level]\n");
+ fprintf(stderr, "[-N file] [-O level] [-R file] [-s set] [-t set] [-x level]\n");
exit(1);
}
@@ -488,6 +538,28 @@ pfctl_log(int dev, char *ifname, int opts)
}
int
+pfctl_hint(int dev, const char *opt, int opts)
+{
+ const struct pf_hint *hint;
+ int i, r;
+
+ for (i = 0; pf_hints[i].name; i++)
+ if (strcasecmp(opt, pf_hints[i].name) == 0)
+ break;
+
+ hint = pf_hints[i].hint;
+ if (hint->name == NULL) {
+ warnx("Bad hint name. Format -O hint");
+ return 1;
+ }
+
+ for (i = 0; hint[i].name; i++)
+ if ((r = pfctl_settimeout(dev, hint[i].name, hint[i].timeout)))
+ return r;
+ return (0);
+}
+
+int
pfctl_timeout(int dev, char *opt, int opts)
{
char *seconds, *serr = NULL;
@@ -608,7 +680,7 @@ main(int argc, char *argv[])
if (argc < 2)
usage();
- while ((ch = getopt(argc, argv, "deqF:hl:nN:R:s:t:vx:")) != -1) {
+ while ((ch = getopt(argc, argv, "deqF:hl:nN:O:R:s:t:vx:")) != -1) {
switch (ch) {
case 'd':
opts |= PF_OPT_DISABLE;
@@ -631,6 +703,9 @@ main(int argc, char *argv[])
case 'N':
natopt = optarg;
break;
+ case 'O':
+ hintopt = optarg;
+ break;
case 'R':
rulesopt = optarg;
break;
@@ -737,6 +812,10 @@ main(int argc, char *argv[])
if (pfctl_log(dev, logopt, opts))
error = 1;
+ if (hintopt != NULL)
+ if (pfctl_hint(dev, hintopt, opts))
+ error = 1;
+
if (timeoutopt != NULL)
if (pfctl_timeout(dev, timeoutopt, opts))
error = 1;