From owner-freebsd-ipfw@FreeBSD.ORG Thu May 15 10:19:21 2008 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C5D77106564A for ; Thu, 15 May 2008 10:19:21 +0000 (UTC) (envelope-from bms@FreeBSD.org) Received: from out1.smtp.messagingengine.com (out1.smtp.messagingengine.com [66.111.4.25]) by mx1.freebsd.org (Postfix) with ESMTP id 990E68FC13 for ; Thu, 15 May 2008 10:19:21 +0000 (UTC) (envelope-from bms@FreeBSD.org) Received: from compute1.internal (compute1.internal [10.202.2.41]) by out1.messagingengine.com (Postfix) with ESMTP id 781C71095EE; Thu, 15 May 2008 06:03:55 -0400 (EDT) Received: from heartbeat2.messagingengine.com ([10.202.2.161]) by compute1.internal (MEProxy); Thu, 15 May 2008 06:03:55 -0400 X-Sasl-enc: z0HN/iHOGaYXEwZU8WdSfCOJsTWNs5VfURBdU0IO4qd8 1210845835 Received: from empiric.lon.incunabulum.net (82-35-112-254.cable.ubr07.dals.blueyonder.co.uk [82.35.112.254]) by mail.messagingengine.com (Postfix) with ESMTPSA id BA0F224E61; Thu, 15 May 2008 06:03:54 -0400 (EDT) Message-ID: <482C0A89.104@FreeBSD.org> Date: Thu, 15 May 2008 11:03:53 +0100 From: "Bruce M. Simpson" User-Agent: Thunderbird 2.0.0.14 (X11/20080514) MIME-Version: 1.0 To: "Andrey V. Elsukov" References: <04EA1C34-AB7D-4A85-8A91-DED03E987706@khera.org> <482C07DE.3090504@yandex.ru> In-Reply-To: <482C07DE.3090504@yandex.ru> X-Enigmail-Version: 0.95.6 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: Vivek Khera , FreeBSD Stable , freebsd-ipfw@freebsd.org Subject: Re: how much memory does increasing max rules for IPFW take up? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 15 May 2008 10:19:21 -0000 Andrey V. Elsukov wrote: > Vivek Khera wrote: >> I had a box run out of dynamic state space yesterday. I found I can >> increase the number of dynamic rules by increasing the sysctl >> parameter net.inet.ip.fw.dyn_max. I can't find, however, how this >> affects memory usage on the system. Is it dyanamically allocated and >> de-allocated, or is it a static memory buffer? > > Each dynamic rule allocated dynamically. Be careful, too many dynamic > rules will work very slow. Got any figures for this? I took a quick glance and it looks like it just uses a hash over dst/src/dport/sport. If there are a lot of raw IP or ICMP flows then that's going to result in hash collisions. It might be a good project for someone to optimize if it isn't scaling for folk. "Bloomier" filters are probably worth a look -- bloom filters are a class of probabilistic hash which may return a false positive, "bloomier" filters are a refinement which tries to limit the false positives. Having said that the default tunable of 256 state entries is probably quite low for use cases other than "home/small office NAT gateway". cheers BMS