Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 12 Nov 2012 20:23:18 -0600
From:      Dan Nelson <dnelson@allantgroup.com>
To:        Darrel <levitch@iglou.com>
Cc:        current@freebsd.org
Subject:   Re: Too many dynamic rules
Message-ID:  <20121113022318.GE20857@dan.emsphone.com>
In-Reply-To: <alpine.GSO.2.00.1211121835130.23406@shell1>
References:  <alpine.GSO.2.00.1211121835130.23406@shell1>

next in thread | previous in thread | raw e-mail | index | archive | help
In the last episode (Nov 12), Darrel said:
> Hello,
> 
> Today I booted r242670 from the console and noticed an error.  This
> is one line from the end of dmesg:
> 
> ipfw: ipfw_install_state: Too many dynamic rules
>
> The ruleset has always been dynamic and has no additional rules.
> Search engines produced similar error messages, but no information
> that seems to be the correct solution.
> 
> I have a basically identical ruleset on fbsd91 and no error message.

That means that the dynamic rules generated by the keep-state keyword hit
the currently-confgured limit.  If you get hit with a lot of random traffic
that matches a keep-state rule, you'll get that message.  It's not the rules
themselves that cause this, it's the traffic.

Run "sysctl net.inet.ip.fw.dyn_max net.inet.ip.fw.dyn_count" and compare the
two values.  If count is near to dyn_max, you can simply raise dyn_max. 
It's a writeable sysctl.  I set it to 65535 on my systems in
/etc/sysctl.conf with no apparent ill effects.
 
-- 
	Dan Nelson
	dnelson@allantgroup.com



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20121113022318.GE20857>