diff options
author | David Gwynne <dlg@cvs.openbsd.org> | 2009-06-14 00:16:51 +0000 |
---|---|---|
committer | David Gwynne <dlg@cvs.openbsd.org> | 2009-06-14 00:16:51 +0000 |
commit | 60209ff128ca8e8164d2ece1a0c77a081afbfd78 (patch) | |
tree | 3365f20e76e577be13c4a22c6b3346e430cf12d6 /sys/arch | |
parent | 930a36719b6849df05a657bab7f55606daea8f0b (diff) |
enable support for deferring the packet that creates a state so that your
sync peers are able to get the states before the replies. previously there
was a race where the reply could hit a partner firewall before it had the
state for it, which caused the reply to get processed by the ruleset which
probably would drop it.
this behaviour is off by default because it does delay packets, which is
only wanted in active-active firewalls or when an upstream router is slow
to learn that you're moved the active member of the pfsync cluster. it also
uses memory keeping the packets in the kernel.
use "ifconfig pfsync0 defer" to enable it, "ifconfig pfsync0 -defer" to
disable.
tested by sthen@ who loves it. he's got manpage changes coming up for me.
Diffstat (limited to 'sys/arch')
0 files changed, 0 insertions, 0 deletions