diff options
| author | Ryan Thomas McBride <mcbride@cvs.openbsd.org> | 2006-05-28 02:45:46 +0000 |
|---|---|---|
| committer | Ryan Thomas McBride <mcbride@cvs.openbsd.org> | 2006-05-28 02:45:46 +0000 |
| commit | cc38e7cc37c6ca84a3c4f5751fe61c8543ae7558 (patch) | |
| tree | 770d3b9835427b46c6dacfdfd69fc1f88c9bba2f | |
| parent | 18e4cb29682e760ec4f3759132bdfea5316fd39d (diff) | |
Enable adaptive timeouts by default, with adaptive.start of 60% of the
state limit and adaptive.end of 120% of the state limit.
Explicitly setting the adaptive timeouts will override the default,
and it can be disabled by setting both adaptive.start and adaptive.end to 0.
ok henning@
| -rw-r--r-- | sbin/pfctl/pfctl.c | 19 | ||||
| -rw-r--r-- | sys/net/pf_ioctl.c | 4 | ||||
| -rw-r--r-- | sys/net/pfvar.h | 4 |
3 files changed, 24 insertions, 3 deletions
diff --git a/sbin/pfctl/pfctl.c b/sbin/pfctl/pfctl.c index 285d7c31b57..d3665a787c4 100644 --- a/sbin/pfctl/pfctl.c +++ b/sbin/pfctl/pfctl.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pfctl.c,v 1.245 2006/04/24 06:10:54 dhartmei Exp $ */ +/* $OpenBSD: pfctl.c,v 1.246 2006/05/28 02:45:45 mcbride Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -1218,6 +1218,8 @@ pfctl_init_options(struct pfctl *pf) pf->timeout[PFTM_INTERVAL] = PFTM_INTERVAL_VAL; pf->timeout[PFTM_SRC_NODE] = PFTM_SRC_NODE_VAL; pf->timeout[PFTM_TS_DIFF] = PFTM_TS_DIFF_VAL; + pf->timeout[PFTM_ADAPTIVE_START] = PFSTATE_ADAPT_START; + pf->timeout[PFTM_ADAPTIVE_END] = PFSTATE_ADAPT_END; pf->limit[PF_LIMIT_STATES] = PFSTATE_HIWAT; pf->limit[PF_LIMIT_FRAGS] = PFFRAG_FRENT_HIWAT; @@ -1244,6 +1246,21 @@ pfctl_load_options(struct pfctl *pf) error = 1; } + /* + * If we've set the limit, but havn't explicitly set adaptive + * timeouts, do it now with a start of 60% and end of 120%. + */ + if (pf->limit_set[PF_LIMIT_STATES] && + !pf->timeout_set[PFTM_ADAPTIVE_START] && + !pf->timeout_set[PFTM_ADAPTIVE_END]) { + pf->timeout[PFTM_ADAPTIVE_START] = + (pf->limit[PF_LIMIT_STATES] / 10) * 6; + pf->timeout_set[PFTM_ADAPTIVE_START] = 1; + pf->timeout[PFTM_ADAPTIVE_END] = + (pf->limit[PF_LIMIT_STATES] / 10) * 12; + pf->timeout_set[PFTM_ADAPTIVE_END] = 1; + } + /* load timeouts */ for (i = 0; i < PFTM_MAX; i++) { if ((pf->opts & PF_OPT_MERGE) && !pf->timeout_set[i]) diff --git a/sys/net/pf_ioctl.c b/sys/net/pf_ioctl.c index ca3674c4ebc..d4485b8f4ca 100644 --- a/sys/net/pf_ioctl.c +++ b/sys/net/pf_ioctl.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pf_ioctl.c,v 1.165 2006/03/04 22:40:16 brad Exp $ */ +/* $OpenBSD: pf_ioctl.c,v 1.166 2006/05/28 02:45:45 mcbride Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -190,6 +190,8 @@ pfattach(int num) timeout[PFTM_INTERVAL] = PFTM_INTERVAL_VAL; timeout[PFTM_SRC_NODE] = PFTM_SRC_NODE_VAL; timeout[PFTM_TS_DIFF] = PFTM_TS_DIFF_VAL; + timeout[PFTM_ADAPTIVE_START] = PFSTATE_ADAPT_START; + timeout[PFTM_ADAPTIVE_END] = PFSTATE_ADAPT_END; pf_normalize_init(); bzero(&pf_status, sizeof(pf_status)); diff --git a/sys/net/pfvar.h b/sys/net/pfvar.h index aeafa8a9b97..1d77ed28d92 100644 --- a/sys/net/pfvar.h +++ b/sys/net/pfvar.h @@ -1,4 +1,4 @@ -/* $OpenBSD: pfvar.h,v 1.234 2006/03/14 11:09:42 djm Exp $ */ +/* $OpenBSD: pfvar.h,v 1.235 2006/05/28 02:45:45 mcbride Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -611,6 +611,8 @@ struct pf_rule { #define PFRULE_IFBOUND 0x00010000 /* if-bound */ #define PFSTATE_HIWAT 10000 /* default state table size */ +#define PFSTATE_ADAPT_START 6000 /* default adaptive timeout start */ +#define PFSTATE_ADAPT_END 12000 /* default adaptive timeout end */ struct pf_threshold { |