summaryrefslogtreecommitdiff
path: root/sys/arch
diff options
context:
space:
mode:
authorDavid Gwynne <dlg@cvs.openbsd.org>2009-06-14 00:16:51 +0000
committerDavid Gwynne <dlg@cvs.openbsd.org>2009-06-14 00:16:51 +0000
commit60209ff128ca8e8164d2ece1a0c77a081afbfd78 (patch)
tree3365f20e76e577be13c4a22c6b3346e430cf12d6 /sys/arch
parent930a36719b6849df05a657bab7f55606daea8f0b (diff)
enable support for deferring the packet that creates a state so that your
sync peers are able to get the states before the replies. previously there was a race where the reply could hit a partner firewall before it had the state for it, which caused the reply to get processed by the ruleset which probably would drop it. this behaviour is off by default because it does delay packets, which is only wanted in active-active firewalls or when an upstream router is slow to learn that you're moved the active member of the pfsync cluster. it also uses memory keeping the packets in the kernel. use "ifconfig pfsync0 defer" to enable it, "ifconfig pfsync0 -defer" to disable. tested by sthen@ who loves it. he's got manpage changes coming up for me.
Diffstat (limited to 'sys/arch')
0 files changed, 0 insertions, 0 deletions