I already talked to dlg here, but that obviously cuts you out which isn't good :/
* Alexander Bluhm <alexander.bl...@gmx.net> [2015-02-10 23:12]: > We do not use the pf congestion feature, we have disabled it with > an #ifdef. Prefering states over rules means that you cannot login > into a congested box. There are cases where this policy makes > sense, in our use case it does not. well, you can over the console, and preferring existing states is the right thing to do imo: -(D)DoS-Traffic won't match a state, prefering states means that your legit traffic has a much higher chance -ruleset evaluation is MUCH more expensive than state matching not sure whether your product is the extreme outlier here; if it is then the "you have to ifdef it out" is perfectly acceptable imo; if it isn't we might need a button (shrug). the fact that nobody asked for a button or the like in a decade makes me tend towards "not needed". > I can't see cases where different congestion states for each input > queue are useful. me neither. things are significantly different now than they were 10+ years ago when bob & I chose "ipintrq full" as trigger. the congestion trick isn't as effective any more as it used to be since the arrival of MCLGETI - which overall is much more effective, and less selective at the same time. the two should cooperate.
