From owner-freebsd-current@FreeBSD.ORG Tue Nov 13 14:33:15 2012 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id D9A05389 for ; Tue, 13 Nov 2012 14:33:15 +0000 (UTC) (envelope-from freebsd-current@m.gmane.org) Received: from plane.gmane.org (plane.gmane.org [80.91.229.3]) by mx1.freebsd.org (Postfix) with ESMTP id 83B0C8FC13 for ; Tue, 13 Nov 2012 14:33:14 +0000 (UTC) Received: from list by plane.gmane.org with local (Exim 4.69) (envelope-from ) id 1TYHYG-0002zD-Ee for freebsd-current@freebsd.org; Tue, 13 Nov 2012 15:33:20 +0100 Received: from lara.cc.fer.hr ([161.53.72.113]) by main.gmane.org with esmtp (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Tue, 13 Nov 2012 15:33:20 +0100 Received: from ivoras by lara.cc.fer.hr with local (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Tue, 13 Nov 2012 15:33:20 +0100 X-Injected-Via-Gmane: http://gmane.org/ To: freebsd-current@freebsd.org From: Ivan Voras Subject: Re: Too many dynamic rules Date: Tue, 13 Nov 2012 15:33:02 +0100 Lines: 65 Message-ID: References: <20121113022318.GE20857@dan.emsphone.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="------------enigAF310259FFEEC93B3F92E424" X-Complaints-To: usenet@ger.gmane.org X-Gmane-NNTP-Posting-Host: lara.cc.fer.hr User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:14.0) Gecko/20120812 Thunderbird/14.0 In-Reply-To: <20121113022318.GE20857@dan.emsphone.com> X-Enigmail-Version: 1.4.3 X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 13 Nov 2012 14:33:15 -0000 This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enigAF310259FFEEC93B3F92E424 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable On 13/11/2012 03:23, Dan Nelson wrote: > In the last episode (Nov 12), Darrel said: >> Hello, >> >> Today I booted r242670 from the console and noticed an error. This >> is one line from the end of dmesg: >> >> ipfw: ipfw_install_state: Too many dynamic rules >> >> The ruleset has always been dynamic and has no additional rules. >> Search engines produced similar error messages, but no information >> that seems to be the correct solution. >> >> I have a basically identical ruleset on fbsd91 and no error message. >=20 > That means that the dynamic rules generated by the keep-state keyword h= it > the currently-confgured limit. If you get hit with a lot of random tra= ffic > that matches a keep-state rule, you'll get that message. It's not the = rules > themselves that cause this, it's the traffic. >=20 > Run "sysctl net.inet.ip.fw.dyn_max net.inet.ip.fw.dyn_count" and compar= e the > two values. If count is near to dyn_max, you can simply raise dyn_max.= =20 > It's a writeable sysctl. I set it to 65535 on my systems in > /etc/sysctl.conf with no apparent ill effects. I have huge problems with the default settings, and I beat them down with the following: net.inet.ip.fw.dyn_max=3D8192 net.inet.ip.fw.dyn_buckets=3D1024 net.inet.ip.fw.dyn_ack_lifetime=3D60 net.inet.tcp.fast_finwait2_recycle=3D1 I also add these, though I don't think they help this particular problem:= net.inet.tcp.nolocaltimewait=3D1 net.inet.tcp.ecn.enable=3D1 --------------enigAF310259FFEEC93B3F92E424 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.19 (FreeBSD) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAlCiWh4ACgkQ/QjVBj3/HSw0PwCgmnhA++xdPcKJo2OriIZVezT0 EGgAniXZHbwNHzWKUSss/eM4+BBBqEgO =4DcX -----END PGP SIGNATURE----- --------------enigAF310259FFEEC93B3F92E424--