From owner-freebsd-current@FreeBSD.ORG Tue Nov 13 15:54:45 2012 Return-Path: Delivered-To: current@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 75A3F508 for ; Tue, 13 Nov 2012 15:54:45 +0000 (UTC) (envelope-from levitch@iglou.com) Received: from rdsmtp.iglou.com (rdsmtp.iglou.com [192.107.41.63]) by mx1.freebsd.org (Postfix) with ESMTP id 2E1C28FC15 for ; Tue, 13 Nov 2012 15:54:44 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=iglou.com; s=alpha; h=Content-Type:MIME-Version:References:Message-ID:In-Reply-To:Subject:cc:To:From:Date; bh=mqoMInl5nQ3vcElYZZVIX4mQySzqFql0cxjUQ7x7sdo=; b=gmKFwaBrAcBPscSdqotj97dhwNJI/G4gjSfFhergaxGTOzqxWY8KMc0TSw4TpXUUxrU1y5h2SOT/B4JGnq/2mfprVxF9YUUv8ktDB8j5OxRCGZ4jT9ZO9SgDjB3MqBBsNAzdqGY29E7u+IVKnku3tfKf3IIzMvarpuu+2XJHaoA=; Received: from iglou3.iglou.com ([192.107.41.6]:57367 helo=mail.iglou.com) by rdsmtp.iglou.com with esmtpa (Exim MTA/8.19.3) (envelope-from ) id 1TYIp1-000339-UQ by authid with igloumta_auth for current@freebsd.org; Tue, 13 Nov 2012 10:54:43 -0500 Received: from shell1.iglou.com ([192.107.41.17]:49013 helo=shell1) by mail.iglou.com with esmtps (TLS cipher TLSv1:AES256-SHA:256) (Exim MTA/8.19.3) (envelope-from ) id 1TYIp1-0003tD-H1; Tue, 13 Nov 2012 10:54:43 -0500 Date: Tue, 13 Nov 2012 10:54:43 -0500 (EST) From: Darrel X-X-Sender: levitch@shell1 To: Dan Nelson Subject: [ solved ]: Too many dynamic rules In-Reply-To: <20121113022318.GE20857@dan.emsphone.com> Message-ID: References: <20121113022318.GE20857@dan.emsphone.com> User-Agent: Alpine 2.00 (GSO 1167 2008-08-23) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed X-Originating-IP: 192.107.41.17 X-IgLou-Customer: 3cb6f76205bd20f518810676a67a982b X-Mailman-Approved-At: Tue, 13 Nov 2012 17:20:19 +0000 Cc: current@freebsd.org X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 13 Nov 2012 15:54:45 -0000 >> Today I booted r242670 from the console and noticed an error. This >> is one line from the end of dmesg: >> >> ipfw: ipfw_install_state: Too many dynamic rules >> >> The ruleset has always been dynamic and has no additional rules. >> Search engines produced similar error messages, but no information >> that seems to be the correct solution. >> >> I have a basically identical ruleset on fbsd91 and no error message. > > That means that the dynamic rules generated by the keep-state keyword hit > the currently-confgured limit. If you get hit with a lot of random traffic > that matches a keep-state rule, you'll get that message. It's not the rules > themselves that cause this, it's the traffic. > That makes sense. Recently I began to run an ntp server there. > Run "sysctl net.inet.ip.fw.dyn_max net.inet.ip.fw.dyn_count" and compare the > two values. If count is near to dyn_max, you can simply raise dyn_max. > It's a writeable sysctl. I set it to 65535 on my systems in > /etc/sysctl.conf with no apparent ill effects. > This is just an internal server, so at first will try an increment: net.inet.ip.fw.dyn_max=16384 Thank you, Darrel