Date: Tue, 13 Nov 2012 15:33:02 +0100 From: Ivan Voras <ivoras@freebsd.org> To: freebsd-current@freebsd.org Subject: Re: Too many dynamic rules Message-ID: <k7tlms$1a5$1@ger.gmane.org> In-Reply-To: <20121113022318.GE20857@dan.emsphone.com> References: <alpine.GSO.2.00.1211121835130.23406@shell1> <20121113022318.GE20857@dan.emsphone.com>
index | next in thread | previous in thread | raw e-mail
[-- Attachment #1 --] On 13/11/2012 03:23, Dan Nelson wrote: > In the last episode (Nov 12), Darrel said: >> Hello, >> >> Today I booted r242670 from the console and noticed an error. This >> is one line from the end of dmesg: >> >> ipfw: ipfw_install_state: Too many dynamic rules >> >> The ruleset has always been dynamic and has no additional rules. >> Search engines produced similar error messages, but no information >> that seems to be the correct solution. >> >> I have a basically identical ruleset on fbsd91 and no error message. > > That means that the dynamic rules generated by the keep-state keyword hit > the currently-confgured limit. If you get hit with a lot of random traffic > that matches a keep-state rule, you'll get that message. It's not the rules > themselves that cause this, it's the traffic. > > Run "sysctl net.inet.ip.fw.dyn_max net.inet.ip.fw.dyn_count" and compare the > two values. If count is near to dyn_max, you can simply raise dyn_max. > It's a writeable sysctl. I set it to 65535 on my systems in > /etc/sysctl.conf with no apparent ill effects. I have huge problems with the default settings, and I beat them down with the following: net.inet.ip.fw.dyn_max=8192 net.inet.ip.fw.dyn_buckets=1024 net.inet.ip.fw.dyn_ack_lifetime=60 net.inet.tcp.fast_finwait2_recycle=1 I also add these, though I don't think they help this particular problem: net.inet.tcp.nolocaltimewait=1 net.inet.tcp.ecn.enable=1 [-- Attachment #2 --] -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.19 (FreeBSD) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAlCiWh4ACgkQ/QjVBj3/HSw0PwCgmnhA++xdPcKJo2OriIZVezT0 EGgAniXZHbwNHzWKUSss/eM4+BBBqEgO =4DcX -----END PGP SIGNATURE-----help
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?k7tlms$1a5$1>