On Thu, Jul 03, 2003 at 12:03:43PM -0700, Adam Getchell wrote:
> set timeout udp.multiple 2700
> set timeout { adaptive.start 6000, adaptive.end 12000 }
>
> Here's a simplistic question:
>
> UDP packet 1 creates state 1 and gets replied to once at time t = 0 sec.
> UDP packet 9000 creates state 9000 and gets replied to once at time t = 100 sec.
> UDP packet 12000 creates state 12000 and gets replied to once at time t = 1400 sec.
>
> UDP packet 1 will expire at:
>
> A) t = 2700 sec
> B) t = 1350 sec (2700/2)
At t = 100, the base timeout value udp.multiple (2700) is multiplied by
50%, so state 1's expiry is calculated as 0 + 2700*0.5 = 1350. That is
in the future, so the state is not removed at t = 100.
As states are added continuously between 100 < t < 1400, the scaling
factor continuously drops from 50% to 0%, and state 1's expiry gets
recalculated as earlier and earlier (assuming that no further packet
matches state 1, i.e. the state is idle).
Assuming a linear increase in number of states with time, there are
10500 states at t = 750. The scale factor is 25% at that point. The
expiry for state 1 is 0 + 2700*0.25 = 675 then. And this lies in the
past (at t = 750), so state 1 will get removed at 750. If you want the
exact removal time, you'll have to solve the math equation :)
> UDP packet 9000 expires at:
>
> A) t = 1450
> B) t = 1400 (immediately when state 12000 is created)
This is a border case, if there are 12000 states, the scale factor
becomes 0%, and all states will immediately get removed. You probably
don't want to reach this limit, hence the man page suggests setting a
hard limit on the number of states (set limit states) that is lower than
adaptive.end. Or the other way around, decide the hard limit based on
your available memory, then set adaptive.end to the hard limit * 1.05.
> How often does pf check and adjust expiry times for all states?
>
> C) Some other time/state interval (e.g.. every 100 milliseconds, 100
> states)
This, I failed to mention that before.
Every interval seconds, you can change it with 'set timeout interval n',
the default is 10 seconds.
> What is the proper syntax to create adaptive timeouts per rule? The
> following rule doesn't work in 3.3-stable:
pass ... keep state (adaptive.start 100, adaptive.end 200)
but adaptive timeouts (both global and per-rule) where added post-3.3,
so you need -current.
Daniel
