On Sun, Apr 14, 2024 at 01:28:12PM +0200, Jesper Wallin wrote:
> On Sun, Apr 14, 2024 at 06:27:51AM +0100, Jason McIntyre wrote:
> > for the optimisation stuff: you could submit a separate diff for that.
> > maybe a note where all the tcp.* bits are saying that they can be
> > handled more generally by set optimization?
> 
> Maybe I took you too literal, but it fits on a single line at least.
> 
> 
> Index: pf.conf.5
> ===================================================================
> RCS file: /cvs/src/share/man/man5/pf.conf.5,v
> retrieving revision 1.600
> diff -u -p -r1.600 pf.conf.5
> --- pf.conf.5	18 Nov 2022 18:11:10 -0000	1.600
> +++ pf.conf.5	14 Apr 2024 11:24:49 -0000
> @@ -1465,6 +1465,9 @@ Each packet which matches this state wil
>  Tuning these values may improve the performance of the
>  firewall at the risk of dropping valid idle connections.
>  .Pp
> +This can also be handled more generally with 
> +.Cm set optimization .
> +.Pp
>  .Bl -tag -width Ds -compact
>  .It Cm tcp.closed Pq 90 seconds by default
>  The state after one endpoint sends an RST.

well, that does not really hint at the relationship. what about:

     When a packet matches a stateful connection, the seconds to
     live for the connection will be updated to that of the protocol
     and modifier which corresponds to the connection state.  Each
     packet which matches this state will reset the TTL.  Tuning
     these values may improve the performance of the firewall at
     the risk of dropping valid idle connections.  Alternatively
     the variables may be adjusted collectively in a manner suitable
     for specific environments using set optimization (see above).

sth like that?

jmc