From owner-freebsd-ipfw@FreeBSD.ORG Thu May 15 16:38:55 2008 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 10AEA10656AA; Thu, 15 May 2008 16:38:55 +0000 (UTC) (envelope-from jdc@parodius.com) Received: from mx01.sc1.parodius.com (mx01.sc1.parodius.com [72.20.106.3]) by mx1.freebsd.org (Postfix) with ESMTP id F030E8FC1C; Thu, 15 May 2008 16:38:54 +0000 (UTC) (envelope-from jdc@parodius.com) Received: by mx01.sc1.parodius.com (Postfix, from userid 1000) id 567891CC038; Thu, 15 May 2008 09:20:56 -0700 (PDT) Date: Thu, 15 May 2008 09:20:56 -0700 From: Jeremy Chadwick To: "Bruce M. Simpson" Message-ID: <20080515162056.GA17187@eos.sc1.parodius.com> References: <04EA1C34-AB7D-4A85-8A91-DED03E987706@khera.org> <482C07DE.3090504@yandex.ru> <482C0A89.104@FreeBSD.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <482C0A89.104@FreeBSD.org> User-Agent: Mutt/1.5.17 (2007-11-01) Cc: Vivek Khera , "Andrey V. Elsukov" , FreeBSD Stable , freebsd-ipfw@freebsd.org Subject: Re: how much memory does increasing max rules for IPFW take up? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 15 May 2008 16:38:55 -0000 On Thu, May 15, 2008 at 11:03:53AM +0100, Bruce M. Simpson wrote: > Andrey V. Elsukov wrote: >> Vivek Khera wrote: >>> I had a box run out of dynamic state space yesterday. I found I can >>> increase the number of dynamic rules by increasing the sysctl parameter >>> net.inet.ip.fw.dyn_max. I can't find, however, how this affects memory >>> usage on the system. Is it dyanamically allocated and de-allocated, or >>> is it a static memory buffer? >> >> Each dynamic rule allocated dynamically. Be careful, too many dynamic >> rules will work very slow. > > Got any figures for this? I took a quick glance and it looks like it just > uses a hash over dst/src/dport/sport. If there are a lot of raw IP or ICMP > flows then that's going to result in hash collisions. > > It might be a good project for someone to optimize if it isn't scaling for > folk. "Bloomier" filters are probably worth a look -- bloom filters are a > class of probabilistic hash which may return a false positive, "bloomier" > filters are a refinement which tries to limit the false positives. > > Having said that the default tunable of 256 state entries is probably quite > low for use cases other than "home/small office NAT gateway". It's far too low for home/small office. Standard Linux NAT routers, such as the Linksys WRT54G/GL, come with a default state table count of 2048, and often is increased by third-party firmwares to 8192 based on justified necessity. Search for "conntrack" below: http://www.polarcloud.com/firmware 256 can easily be exhausted by more than one user loading multiple HTTP 1.0 web pages at one time (such is the case with many users now have browsers that load 7-8 web pages into separate tabs during startup). And if that's not enough reason, consider torrents, which is quite often what results in a home or office router exhausting its state table. Bottom line: the 256 default is too low. It needs to be increased to at least 2048. -- | Jeremy Chadwick jdc at parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, USA | | Making life hard for others since 1977. PGP: 4BD6C0CB |