> I took a moment to peruse the pfctl.c code for the tcp settings for each > of the various optimization topographies (normal, aggressive, etc.). Do > these attempt to set any of the udp or icmp timeout settings (first, > single, multiple, error)? I can't find anything in the pf.conf manpage > or source to suggest they do.
Nope. I didn't have enough real world data to calculate optimal timeouts. A university (can't remember if I'm allowed to name them or not so I won't) gave me 20-30 gigs of captured TCP headers to help optimize our TCP state code. Optimizing the state timeouts for UDP is much more complex. With TCP, the dynamics are determined by the links and the OSes involved. TCP lends itself well to applying the same timeouts to every rule. But with UDP, the type of application is far more important. Ie, the timeout information for DNS would be totally different from TFTP or NFS. UDP really need per-port timeouts set by the optimization level. I can't think of an easy way to apply that in PF outside of using the optimization level to create pre-defined timeout macros which the user can add to the UDP rules. I could probabley hack up a little PCAP utility to profile your UDP traffic and let it calculate a distribution of timeouts. But I have very little free hacking time and I'm not sure there is enough demand. .mike
