Selectable preset FSM optimizations for several network environments.

Thanks to everyone who sent me packet captures!

2 files changed, 109 insertions, 4 deletions

diff --git a/sbin/pfctl/pfctl.8 b/sbin/pfctl/pfctl.8
index 88d25f5b71a..f609ead658f 100644
--- a/sbin/pfctl/pfctl.8
+++ b/sbin/pfctl/pfctl.8
@@ -1,4 +1,4 @@
-.\" $OpenBSD: pfctl.8,v 1.32 2001/09/06 15:04:34 mpech Exp $
+.\" $OpenBSD: pfctl.8,v 1.33 2001/09/30 05:29:37 frantzen Exp $
 .\"
 .\" Copyright (c) 2001 Kjell Wooding.  All rights reserved.
 .\"
@@ -36,6 +36,7 @@
 .Op Fl F Ar modifier
 .Op Fl l Ar interface
 .Op Fl N Ar file
+.Op Fl O Ar level
 .Op Fl R Ar file
 .Op Fl s Ar modifier
 .Op Fl t Ar modifier
@@ -107,6 +108,31 @@ option.
 Do not actually load rules.
 .It Fl N Ar file
 Load a NAT rules file.
+.It Fl O Ar modifier
+Optimize the engine to one of the following network topographies or
+environments:
+.Bl -tag -width "O high-latency " -compact
+.It Fl O Ar default
+A normal network environment.  Suitable for almost all networks.
+.It Fl O Ar normal
+Alias for
+.Em default
+.It Fl O Ar high-latency
+A high-latency environment (such as a satellite connection)
+.It Fl O Ar satellite
+Alias for
+.Em high-latency
+.It Fl O Ar aggressive
+Aggressively expire connections when they are likely no longer valid.  This
+can greatly reduce the memory usage of the firewall at the cost of dropping
+idle connections early.
+.It Fl O Ar conservative
+Extremely conservative settings.  Pains will be taken to avoid dropping
+legitimate connections at the expense of greater memory utilization (possibly
+much greater on a busy network) and slightly increased processor utilization.
+.El
+Currently the optimizations only encompass the state table timeouts but much
+more is planned in future revisions of the FSMs.
 .It Fl q
 Only print errors and warnings.
 .It Fl R Ar file
diff --git a/sbin/pfctl/pfctl.c b/sbin/pfctl/pfctl.c
index 29a08b02cad..89781540db8 100644
--- a/sbin/pfctl/pfctl.c
+++ b/sbin/pfctl/pfctl.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: pfctl.c,v 1.40 2001/09/22 18:30:11 deraadt Exp $ */
+/*	$OpenBSD: pfctl.c,v 1.41 2001/09/30 05:29:37 frantzen Exp $ */
 
 /*
  * Copyright (c) 2001 Daniel Hartmeier
@@ -60,6 +60,7 @@ int	 pfctl_clear_stats(int, int);
 int	 pfctl_clear_rules(int, int);
 int	 pfctl_clear_nat(int, int);
 int	 pfctl_clear_states(int, int);
+int	 pfctl_hint(int, const char *, int);
 int	 pfctl_show_rules(int, int);
 int	 pfctl_show_nat(int);
 int	 pfctl_show_states(int, u_int8_t);
@@ -74,6 +75,7 @@ int	 pfctl_debug(int, u_int32_t, int);
 
 int	 opts = 0;
 char	*clearopt;
+char	*hintopt;
 char	*logopt;
 char	*natopt;
 char	*rulesopt;
@@ -102,6 +104,54 @@ static const struct {
 	{ "interval",		PFTM_INTERVAL },
 	{ NULL,			0 }};
 
+struct pf_hint {
+	const char	*name;
+	int		timeout;
+};
+static const struct pf_hint pf_hint_normal[] = {
+	{ "tcp.first",		2 * 60 },
+	{ "tcp.opening",	30 },
+	{ "tcp.established",	24 * 60 * 60 },
+	{ "tcp.closing",	15 * 60 },
+	{ "tcp.finwait",	45 },
+	{ "tcp.closed",		90 },
+	{ NULL,			0}};
+static const struct pf_hint pf_hint_satellite[] = {
+	{ "tcp.first",		3 * 60},
+	{ "tcp.opening",	30 + 5},
+	{ "tcp.closing",	15 * 60 + 5},
+	{ "tcp.finwait",	45 + 5},
+	{ "tcp.closed",		90 + 5},
+	{ NULL,			0}};
+static const struct pf_hint pf_hint_conservative[] = {
+	{ "tcp.first",		60 * 60 },
+	{ "tcp.opening",	15 * 60 },
+	{ "tcp.established",	5 * 24 * 60 * 60 },
+	{ "tcp.closing",	60 * 60 },
+	{ "tcp.finwait",	10 * 60 },
+	{ "tcp.closed",		3 * 60 },
+	{ NULL,			0}};
+static const struct pf_hint pf_hint_aggressive[] = {
+	{ "tcp.first",		30 },
+	{ "tcp.opening",	5 },
+	{ "tcp.established",	5 * 60 * 60 },
+	{ "tcp.closing",	60 },
+	{ "tcp.finwait",	60 },
+	{ "tcp.closed",		30 },
+	{ NULL,			0}};
+
+static const struct {
+	const char *name;
+	const struct pf_hint *hint;
+} pf_hints[] = {
+	{ "normal",		pf_hint_normal },
+	{ "default",		pf_hint_normal },
+	{ "satellite",		pf_hint_satellite },
+	{ "high-latency",	pf_hint_satellite },
+	{ "conservative",	pf_hint_conservative },
+	{ "aggressive",		pf_hint_aggressive },
+	{ NULL,			NULL }};
+
 void
 usage()
 {
@@ -109,7 +159,7 @@ usage()
 
 	fprintf(stderr, "usage: %s [-dehnqv] [-F set] [-l interface] ",
 	    __progname);
-	fprintf(stderr, "[-N file] [-R file] [-s set] [-t set] [-x level]\n");
+	fprintf(stderr, "[-N file] [-O level] [-R file] [-s set] [-t set] [-x level]\n");
 	exit(1);
 }
 
@@ -488,6 +538,28 @@ pfctl_log(int dev, char *ifname, int opts)
 }
 
 int
+pfctl_hint(int dev, const char *opt, int opts)
+{
+	const struct pf_hint *hint;
+	int i, r;
+
+	for (i = 0; pf_hints[i].name; i++)
+		if (strcasecmp(opt, pf_hints[i].name) == 0)
+			break;
+
+	hint = pf_hints[i].hint;
+	if (hint->name == NULL) {
+		warnx("Bad hint name.  Format -O hint");
+		return 1;
+	}
+
+	for (i = 0; hint[i].name; i++)
+		if ((r = pfctl_settimeout(dev, hint[i].name, hint[i].timeout)))
+			return r;
+	return (0);
+}
+
+int
 pfctl_timeout(int dev, char *opt, int opts)
 {
 	char *seconds, *serr = NULL;
@@ -608,7 +680,7 @@ main(int argc, char *argv[])
 	if (argc < 2)
 		usage();
 
-	while ((ch = getopt(argc, argv, "deqF:hl:nN:R:s:t:vx:")) != -1) {
+	while ((ch = getopt(argc, argv, "deqF:hl:nN:O:R:s:t:vx:")) != -1) {
 		switch (ch) {
 		case 'd':
 			opts |= PF_OPT_DISABLE;
@@ -631,6 +703,9 @@ main(int argc, char *argv[])
 		case 'N':
 			natopt = optarg;
 			break;
+		case 'O':
+			hintopt = optarg;
+			break;
 		case 'R':
 			rulesopt = optarg;
 			break;
@@ -737,6 +812,10 @@ main(int argc, char *argv[])
 		if (pfctl_log(dev, logopt, opts))
 			error = 1;
 
+	if (hintopt != NULL)
+		if (pfctl_hint(dev, hintopt, opts))
+			error = 1;
+
 	if (timeoutopt != NULL)
 		if (pfctl_timeout(dev, timeoutopt, opts))
 			error = 1;