Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 15 May 2008 09:20:56 -0700
From:      Jeremy Chadwick <koitsu@FreeBSD.org>
To:        "Bruce M. Simpson" <bms@FreeBSD.org>
Cc:        Vivek Khera <vivek@khera.org>, "Andrey V. Elsukov" <bu7cher@yandex.ru>, FreeBSD Stable <freebsd-stable@freebsd.org>, freebsd-ipfw@freebsd.org
Subject:   Re: how much memory does increasing max rules for IPFW take up?
Message-ID:  <20080515162056.GA17187@eos.sc1.parodius.com>
In-Reply-To: <482C0A89.104@FreeBSD.org>
References:  <04EA1C34-AB7D-4A85-8A91-DED03E987706@khera.org> <482C07DE.3090504@yandex.ru> <482C0A89.104@FreeBSD.org>

next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, May 15, 2008 at 11:03:53AM +0100, Bruce M. Simpson wrote:
> Andrey V. Elsukov wrote:
>> Vivek Khera wrote:
>>> I had a box run out of dynamic state space yesterday.  I found I can 
>>> increase the number of dynamic rules by increasing the sysctl parameter 
>>> net.inet.ip.fw.dyn_max.  I can't find, however, how this affects memory 
>>> usage on the system.  Is it dyanamically allocated and de-allocated, or 
>>> is it a static memory buffer?
>>
>> Each dynamic rule allocated dynamically. Be careful, too many dynamic 
>> rules will work very slow.
>
> Got any figures for this? I took a quick glance and it looks like it just 
> uses a hash over dst/src/dport/sport. If there are a lot of raw IP or ICMP 
> flows then that's going to result in hash collisions.
>
> It might be a good project for someone to optimize if it isn't scaling for 
> folk. "Bloomier" filters are probably worth a look -- bloom filters are a 
> class of probabilistic hash which may return a false positive, "bloomier" 
> filters are a refinement which tries to limit the false positives.
>
> Having said that the default tunable of 256 state entries is probably quite 
> low for use cases other than "home/small office NAT gateway".

It's far too low for home/small office.  Standard Linux NAT routers,
such as the Linksys WRT54G/GL, come with a default state table count of
2048, and often is increased by third-party firmwares to 8192 based on
justified necessity.  Search for "conntrack" below:

http://www.polarcloud.com/firmware

256 can easily be exhausted by more than one user loading multiple HTTP
1.0 web pages at one time (such is the case with many users now have
browsers that load 7-8 web pages into separate tabs during startup).

And if that's not enough reason, consider torrents, which is quite often
what results in a home or office router exhausting its state table.

Bottom line: the 256 default is too low.  It needs to be increased to at
least 2048.

-- 
| Jeremy Chadwick                                jdc at parodius.com |
| Parodius Networking                       http://www.parodius.com/ |
| UNIX Systems Administrator                  Mountain View, CA, USA |
| Making life hard for others since 1977.              PGP: 4BD6C0CB |




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20080515162056.GA17187>