Date: Wed, 05 Sep 2001 20:49:27 +0200 From: Mathieu Arnold <arn_mat@club-internet.fr> To: freebsd-questions@freebsd.org Subject: Re: ipfilter Message-ID: <3B9673B7.6BFED57C@club-internet.fr> References: <5.0.2.1.0.20010903183401.01fc43d8@localhost>
next in thread | previous in thread | raw e-mail | index | archive | help
Robert Moss wrote: > > Hi, i think this problem relates to the amount of buckets in the NAT/FILTER > hash table rather than physical memory. > > How many rules do you have, and how many connections are going through the > server? I imagine a lot ;) > > I think there are a few other places where you have to modify the NAT/state > table sizes, im running from memory here (about 1 year ago). > > Looks like you have done it right (from below text). Have you made sure to > recompile (correctly) and reinstall the kernel object? yes, pretty sure, as ipfilter is compiled in the kernel and not as module. > Also, check in ipnat -l how many NAT connections you have. well, 0 I guess as I don't do nat. > With the information here, im not sure what else to suggest. > > What version of IPFilter? > What number of rules do you have > ipnat -l | wc -l > cat /etc/ipnat.conf | wc -l the version which comes with 4.3-RELEASE. and I don't do nat, but ipfstat -io|wc -l should be between 400 and 600. > When you installed the new module, how did you do that? well, in the kernel, and reboot. > Cheers > rob. > > At 07:07 PM 30/08/2001 +0200, you wrote: > >Hi > > > >I'm having some problems with ipfilter : > ># ipfstat -s > >IP states added: > > 4572145 TCP > > 573649 UDP > > 463188 ICMP > > 1165608186 hits > > 34257625 misses > > 0 maximum > > 1546129 no memory > > 8208 bkts in use > > 22215 active > > 959216 expired > > 3081422 closed > ># uptime > > 6:10PM up 1 day, 7:24, 2 users, load averages: 0.08, 0.12, 0.27 > ># uname -r > >4.3-RELEASE-p14 > > > >as you can see, the no memory should stay at 0, but here, it's far from > >good. > >do you have some ideas... > >btw, here are some things i've modified... > >in /usr/src/sys/netinet/ip_state.c : > >#define FIVE_DAYS (2*2*3600) /* 5 days: half closed session > >*/ > > > >in /usr/src/sys/netinet/ip_state.h : > >#define IPSTATE_SIZE 1613321 > >#define IPSTATE_MAX 1048576 /* Maximum number of states held */ > > > >any clue ? > > > >-- > >Mathieu Arnold > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org > >with "unsubscribe freebsd-questions" in the body of the message -- Mathieu Arnold To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3B9673B7.6BFED57C>