On Tue, Feb 22, 2011 at 02:18:10PM +0100, Mikkel C. Simonsen wrote: > Stuart Henderson wrote: > > Basically don't use queues named "foo_in" and > > "foo_out", just use a single name "foo", defined with > > "queue foo on $tdcif" and "queue foo on $sirif". See > > the list archives for more; this has come up several > > times. > > If using separate names is wrong, why does the sample in the > pf FAQ use that method?
Using separate names is not 'wrong', it depends on what you're trying to accomplish. But you're right, the PF guide could probably be improved to cover this. > But I tried making this change, and many others. I could get > either the incoming or outgoing traffic to pass through the > correct queues, but not both at the same time. What Stuart has suggested DEFINATELY works, so perhaps sharing your attempts at doing that would allow us to help you out. > The final version (so far) uses only pass out, and no pass > in rules. I also had to add "no state" to all the rules, to > get the traffic through the queues. > > How much performance penalty do you get by not using states? It depends on a number of factors: - the size/complexity of your ruleset: the cost of each packet is related to the ruleset, but it's impossible to say something like "if you have X rules, 'no state' will be Y times as expensive" because there are several layers of optimization that will affect the average cost. - how many states you have (if some of your rules are stateful, you will probably have some entries in your state). State table evaluation happens before ruleset evaluation, so all your 'no state' packets get evaluated against the state table anyways. > The CPU of the system is an 800MHz Via Ezra, so it should be > fast enough I guess. > Is it possible to get it working with states? 'fast enough' is relative, but there is nothing preventing such a box from working stateful rules and altq.
