Re: PF/ALTQ problem : using max states limits breaks queueing

[NetOne - Doichin Dokov]

Henning Brauer P=P0P?P8Q
P0:
* NetOne - Doichin Dokov <[EMAIL PROTECTED]> [2007-11-07 01:57]:
  
Hello,
I have an OpenBSD 4.2 box set up to shape clients traffic. Each client gets 
limited by these 4 rules:

pass in on $int_if from $client_ip to any queue client_in
pass out on $int_if from any to $client_ip queue client_out
pass in on $ext_if from any to $client_ip queue client_out
pass out on $ext_if from $client_ip to any queue client_in

Everything works fine. I now want to limit max states created by each 
client in each direction to 300, so i modified the rules to be:

pass in on $int_if from $client_ip to any (max 300) queue client_in
    

when a packet matches this rule, but there are already 300 states from 
this rule, the result is a non-match. you need to decide what to do 
with excess states and put rules in. it could be sth like

block from $a to $b
pass  from $a to $b keep state (max 300)

to block 'em.

  
Yup, I gueesed I was wrong with something :) Thank you very much for the
clarification. I'll test and report back later. I guess if it is this
way, though, the documentation needs to be fixed.
That's what the FAQ says here:
http://www.openbsd.org/faq/pf/filter.html#stateopts

max /number/
   Limit the maximum number of state entries the rule can create to
   /number/. If the maximum is reached, packets that would normally
   create state are *dropped* until the number of existing states
   decreases.

Regards,
Doichin

P.S. Henning Brauer: I first submitted this message directly to you 
instead of misc@, please excuse me for getting this twice.