* Teemu Takanen <Teemu.Takanen@tecnomen.com> [2006-05-19 11:55]:
> On Fri, 19 May 2006, joerg@britannica.bec.de wrote:
> >>PF state entries should be modified to include one more RB-tree entry,
> >>used for state expiration.
> >The problem with this approach is that any longer living connection has
> >far more updates than actual expiring states. It should also be kept in
> >mind that this adds a lot of cache trashing due to the constant tree
> >updates.
> This is a valid concern. However at least I find it practically impossible
> to get PF firewall machine under any practical CPU/memory load before
> packet loss starts to happen because of state expiration sweeps.

I have had pf firewalls at this point more than once.
we must be careful to not waste CPU power, you need as much headroom as
possible for DoS style attacks.

> So yes, this might be expensive, but it still improves practical
> performance in my opinnion.

not acceptable. we'll need a better solution.
and yes, it is not easy to solve at all. we talked about that before.

--
BS Web Services, http://www.bsws.de/
OpenBSD-based Webhosting, Mail Services, Managed Servers, ...
Unix is very simple, but it takes a genius to understand the simplicity.
(Dennis Ritchie)