On 05/05/11 13:37, David Gwynne wrote: > when doing a bulk update pfsync only generates 100 packets a second. each packet will be filled with as many full state update messages as possible. > > unfortunately the full state update message is about 264 bytes so you can only fit 5 in a packet. that means 5 * 100 or 500 messages a second, which means 60000 / 500 seconds, ie, a minimum of 2 minutes. > > to make this worse, pfsync wont make a new packet for bulk updates, it will fill a packet every 100th of a second. if the master has pending updates to send, you'll fit even less full update messages in a frame. if the master is reasonably busy you'll always have pending updates. >
That makes sense then. Thanx for the explanation. > i do this on my firewalls sometimes: > > root@passive ~# ssh master pfctl -S /dev/stdout | pfctl -L /dev/stdin > > its a bit faster... > > dlg I've tried your trick and it took just a second to copy the states. However it still took him 10 minutes to show "pfsync bulk done" (75k states). No worries Giannis [demime 1.01d removed an attachment of type application/pkcs7-signature which had a name of smime.p7s]
