Date: Thu, 15 May 2008 11:03:53 +0100 From: "Bruce M. Simpson" <bms@FreeBSD.org> To: "Andrey V. Elsukov" <bu7cher@yandex.ru> Cc: Vivek Khera <vivek@khera.org>, FreeBSD Stable <freebsd-stable@freebsd.org>, freebsd-ipfw@freebsd.org Subject: Re: how much memory does increasing max rules for IPFW take up? Message-ID: <482C0A89.104@FreeBSD.org> In-Reply-To: <482C07DE.3090504@yandex.ru> References: <04EA1C34-AB7D-4A85-8A91-DED03E987706@khera.org> <482C07DE.3090504@yandex.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
Andrey V. Elsukov wrote: > Vivek Khera wrote: >> I had a box run out of dynamic state space yesterday. I found I can >> increase the number of dynamic rules by increasing the sysctl >> parameter net.inet.ip.fw.dyn_max. I can't find, however, how this >> affects memory usage on the system. Is it dyanamically allocated and >> de-allocated, or is it a static memory buffer? > > Each dynamic rule allocated dynamically. Be careful, too many dynamic > rules will work very slow. Got any figures for this? I took a quick glance and it looks like it just uses a hash over dst/src/dport/sport. If there are a lot of raw IP or ICMP flows then that's going to result in hash collisions. It might be a good project for someone to optimize if it isn't scaling for folk. "Bloomier" filters are probably worth a look -- bloom filters are a class of probabilistic hash which may return a false positive, "bloomier" filters are a refinement which tries to limit the false positives. Having said that the default tunable of 256 state entries is probably quite low for use cases other than "home/small office NAT gateway". cheers BMS
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?482C0A89.104>