From owner-freebsd-current@FreeBSD.ORG Tue Nov 13 02:27:09 2012 Return-Path: Delivered-To: current@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id F15E2AB6 for ; Tue, 13 Nov 2012 02:27:09 +0000 (UTC) (envelope-from dan@dan.emsphone.com) Received: from email2.allantgroup.com (email2.emsphone.com [199.67.51.116]) by mx1.freebsd.org (Postfix) with ESMTP id 964C68FC16 for ; Tue, 13 Nov 2012 02:27:09 +0000 (UTC) Received: from dan.emsphone.com (dan.emsphone.com [172.17.17.101]) by email2.allantgroup.com (8.14.5/8.14.5) with ESMTP id qAD2NJ94044132 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 12 Nov 2012 20:23:19 -0600 (CST) (envelope-from dan@dan.emsphone.com) Received: from dan.emsphone.com (smmsp@localhost [127.0.0.1]) by dan.emsphone.com (8.14.5/8.14.5) with ESMTP id qAD2NIx3074964 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 12 Nov 2012 20:23:19 -0600 (CST) (envelope-from dan@dan.emsphone.com) Received: (from dan@localhost) by dan.emsphone.com (8.14.5/8.14.5/Submit) id qAD2NIKQ074963; Mon, 12 Nov 2012 20:23:18 -0600 (CST) (envelope-from dan) Date: Mon, 12 Nov 2012 20:23:18 -0600 From: Dan Nelson To: Darrel Subject: Re: Too many dynamic rules Message-ID: <20121113022318.GE20857@dan.emsphone.com> References: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: X-OS: FreeBSD 8.3-STABLE User-Agent: Mutt/1.5.21 (2010-09-15) X-Virus-Scanned: clamav-milter 0.97.6 at email2.allantgroup.com X-Virus-Status: Clean X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.2.7 (email2.allantgroup.com [172.17.19.78]); Mon, 12 Nov 2012 20:23:19 -0600 (CST) X-Spam-Status: No, score=-2.9 required=5.0 tests=ALL_TRUSTED,BAYES_00, RP_MATCHES_RCVD autolearn=ham version=3.3.2 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on email2.allantgroup.com X-Scanned-By: MIMEDefang 2.73 Cc: current@freebsd.org X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 13 Nov 2012 02:27:10 -0000 In the last episode (Nov 12), Darrel said: > Hello, > > Today I booted r242670 from the console and noticed an error. This > is one line from the end of dmesg: > > ipfw: ipfw_install_state: Too many dynamic rules > > The ruleset has always been dynamic and has no additional rules. > Search engines produced similar error messages, but no information > that seems to be the correct solution. > > I have a basically identical ruleset on fbsd91 and no error message. That means that the dynamic rules generated by the keep-state keyword hit the currently-confgured limit. If you get hit with a lot of random traffic that matches a keep-state rule, you'll get that message. It's not the rules themselves that cause this, it's the traffic. Run "sysctl net.inet.ip.fw.dyn_max net.inet.ip.fw.dyn_count" and compare the two values. If count is near to dyn_max, you can simply raise dyn_max. It's a writeable sysctl. I set it to 65535 on my systems in /etc/sysctl.conf with no apparent ill effects. -- Dan Nelson dnelson@allantgroup.com