Re: Clarification on recommended method of ACK queueing
On Sat, 2006-11-11 at 07:59 +0100, Daniel Hartmeier wrote: Daniel I could collect sentences from your posts and write a book! -- Massimo.run();
Re: Clarification on recommended method of ACK queueing
On Fri, Nov 10, 2006 at 11:10:47AM -0800, Nathan Valentine wrote: Reference: http://www.benzedrine.cx/ackpri.html One of the rules in that document is: pass out on $ext_if proto tcp from $ext_if to any flags S/SA \ keep state queue (q_def, q_pri) The 'flags S/SA' part of this rule only affects what packets match this rule. We only create state on the initial SYN packet (ACK not set). This has nothing to do the queue assigments. Once the initial SYN packet has matched the rule and created state, all further packets related to the connection (no matter what flags are set or unset) pass based on the state entry, not the rule above. Whether one specific packet of the connection (matching the state) gets assigned to q_def or q_pri DOES depend on the flags it has, but that is hardcoded: empty ACKs go to q_pri, everything else to q_def. The 'flags S/SA' rule option has no influence on the queues. So, the purpose of the rule is not to separate empty ACKs from other packets. It merely picks the initial SYN of each connection to create the state entry on. Maybe that was the confusion. I see nothing wrong with the wording in the man page about 'flags S/SA', it's precise and correct. Daniel
Re: Clarification on recommended method of ACK queueing
pass out on $ext_if proto tcp from $ext_if to any flags S/SA \ keep state queue (q_def, q_pri) Whether one specific packet of the connection (matching the state) gets assigned to q_def or q_pri DOES depend on the flags it has, but that is hardcoded: empty ACKs go to q_pri, everything else to q_def. The 'flags S/SA' rule option has no influence on the queues. So, the purpose of the rule is not to separate empty ACKs from other packets. It merely picks the initial SYN of each connection to create the state entry on. Maybe that was the confusion. Ah, that makes more sense and it dovetails with my next question. If OpenBSD is acting as an Ethernet bridge and pf/alt is assigning packets to queues (cbq), the correct rule to send empty ACK packets to a high priority queue would be something like this?: pass out on $wan_if proto tcp from any to any A/SAP queue minimal_delay SAP because we only want to send bare ACK packets to minimal_delay. Sending SYN+ACK and ACK+PSH to the default queue is fine. And no need to track state in this situation. Makes sense? -- --- Nathan Valentine - [EMAIL PROTECTED] Systems/Network Admin 415.561.6780 Discovery Mining, Inc. - http://www.discoverymining.com
