summaryrefslogtreecommitdiff
path: root/share
diff options
context:
space:
mode:
authorDaniel Hartmeier <dhartmei@cvs.openbsd.org>2003-05-12 01:25:33 +0000
committerDaniel Hartmeier <dhartmei@cvs.openbsd.org>2003-05-12 01:25:33 +0000
commit4e1a3e6db441cb67c340c3d1fd13c9f1afcb96a1 (patch)
tree795327f86f48dfc5eba3746a29ed6c42d8188a6d /share
parent03cf287269743a3ba7ad0bac6bfd4e03e3c3da27 (diff)
Adaptive timeout value scaling. Allows to reduce timeout values as the
number of state table entries grows, so entries time out faster before the table fills up. Works both globally and per-rule. ok frantzen@
Diffstat (limited to 'share')
-rw-r--r--share/man/man5/pf.conf.532
1 files changed, 29 insertions, 3 deletions
diff --git a/share/man/man5/pf.conf.5 b/share/man/man5/pf.conf.5
index 870ddc00620..2bb9eaa0aa1 100644
--- a/share/man/man5/pf.conf.5
+++ b/share/man/man5/pf.conf.5
@@ -1,4 +1,4 @@
-.\" $OpenBSD: pf.conf.5,v 1.234 2003/05/11 20:46:11 frantzen Exp $
+.\" $OpenBSD: pf.conf.5,v 1.235 2003/05/12 01:25:32 dhartmei Exp $
.\"
.\" Copyright (c) 2002, Daniel Hartmeier
.\" All rights reserved.
@@ -290,12 +290,38 @@ Other protocols are handled similarly to UDP:
.It Ar other.multiple
.El
.Pp
+Timeout values can be reduced adaptively as the number of state table
+entries grows.
+.Pp
+.Bl -tag -width xxxx -compact
+.It Ar adaptive.start
+When the number of state entries exceeds this value, adaptive scaling
+begins.
+All timeout values are scaled linearly with factor
+(adaptive.end - number of states) / (adaptive.end - adaptive.start).
+.It Ar adaptive.end
+When reaching this number of state entries, all timeout values become
+zero, effectively purging all state entries immediately.
+This value is used to define the scale factor, it should not actually
+be reached (set a lower state limit, see below).
+.El
+.Pp
+These values can be defined both globally and for each rule.
+When used on a per-rule basis, the values relate to the number of
+states created by the rule, otherwise to the total number of
+states.
+.Pp
For example:
.Bd -literal -offset indent
-set timeout tcp.established 3600
-set timeout { tcp.opening 30, tcp.closing 900 }
+set timeout tcp.first 120
+set timeout tcp.established 86400
+set timeout { adaptive.start 6000, adaptive.end 12000 }
+set limit states 10000
.Ed
.Pp
+With 10500 state table entries, the timeout values are scaled to 25%
+(tcp.first 30, tcp.established 21600).
+.Pp
.It Ar set loginterface
Enable collection of packet and byte count statistics for the given interface.
These statistics can be viewed using