diff options
author | Daniel Hartmeier <dhartmei@cvs.openbsd.org> | 2003-05-12 01:25:33 +0000 |
---|---|---|
committer | Daniel Hartmeier <dhartmei@cvs.openbsd.org> | 2003-05-12 01:25:33 +0000 |
commit | 4e1a3e6db441cb67c340c3d1fd13c9f1afcb96a1 (patch) | |
tree | 795327f86f48dfc5eba3746a29ed6c42d8188a6d /share | |
parent | 03cf287269743a3ba7ad0bac6bfd4e03e3c3da27 (diff) |
Adaptive timeout value scaling. Allows to reduce timeout values as the
number of state table entries grows, so entries time out faster before
the table fills up. Works both globally and per-rule. ok frantzen@
Diffstat (limited to 'share')
-rw-r--r-- | share/man/man5/pf.conf.5 | 32 |
1 files changed, 29 insertions, 3 deletions
diff --git a/share/man/man5/pf.conf.5 b/share/man/man5/pf.conf.5 index 870ddc00620..2bb9eaa0aa1 100644 --- a/share/man/man5/pf.conf.5 +++ b/share/man/man5/pf.conf.5 @@ -1,4 +1,4 @@ -.\" $OpenBSD: pf.conf.5,v 1.234 2003/05/11 20:46:11 frantzen Exp $ +.\" $OpenBSD: pf.conf.5,v 1.235 2003/05/12 01:25:32 dhartmei Exp $ .\" .\" Copyright (c) 2002, Daniel Hartmeier .\" All rights reserved. @@ -290,12 +290,38 @@ Other protocols are handled similarly to UDP: .It Ar other.multiple .El .Pp +Timeout values can be reduced adaptively as the number of state table +entries grows. +.Pp +.Bl -tag -width xxxx -compact +.It Ar adaptive.start +When the number of state entries exceeds this value, adaptive scaling +begins. +All timeout values are scaled linearly with factor +(adaptive.end - number of states) / (adaptive.end - adaptive.start). +.It Ar adaptive.end +When reaching this number of state entries, all timeout values become +zero, effectively purging all state entries immediately. +This value is used to define the scale factor, it should not actually +be reached (set a lower state limit, see below). +.El +.Pp +These values can be defined both globally and for each rule. +When used on a per-rule basis, the values relate to the number of +states created by the rule, otherwise to the total number of +states. +.Pp For example: .Bd -literal -offset indent -set timeout tcp.established 3600 -set timeout { tcp.opening 30, tcp.closing 900 } +set timeout tcp.first 120 +set timeout tcp.established 86400 +set timeout { adaptive.start 6000, adaptive.end 12000 } +set limit states 10000 .Ed .Pp +With 10500 state table entries, the timeout values are scaled to 25% +(tcp.first 30, tcp.established 21600). +.Pp .It Ar set loginterface Enable collection of packet and byte count statistics for the given interface. These statistics can be viewed using |