From owner-freebsd-net@FreeBSD.ORG  Tue Apr 22 06:21:36 2003
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 9AC0E37B401
	for <freebsd-net@freebsd.org>; Tue, 22 Apr 2003 06:21:36 -0700 (PDT)
Received: from tokyo.ccrle.nec.de (tokyo.ccrle.nec.de [195.37.70.2])
	by mx1.FreeBSD.org (Postfix) with ESMTP id A900C43F3F
	for <freebsd-net@freebsd.org>; Tue, 22 Apr 2003 06:21:34 -0700 (PDT)
	(envelope-from Martin.Stiemerling@ccrle.nec.de)
Received: from venus.office (venus.office [10.1.1.11])
	by tokyo.ccrle.nec.de (8.12.9/8.12.8) with ESMTP id h3MDLXVI052088;
	Tue, 22 Apr 2003 15:21:33 +0200 (CEST)
Received: from ccrle.nec.de (n-stiemerling.office [10.1.1.109])
	by venus.office (Postfix on SuSE Linux eMail Server 3.0) with ESMTP
	id 2978B89678; Tue, 22 Apr 2003 15:16:23 +0200 (CEST)
Message-ID: <3EA541DE.1080706@ccrle.nec.de>
Date: Tue, 22 Apr 2003 15:21:34 +0200
From: Martin Stiemerling <Martin.Stiemerling@ccrle.nec.de>
Organization: NEC -- Network Labs Europe
User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US;
	rv:1.0rc3) Gecko/20020619
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: Daniel Lang <dl@leo.org>
References: <20030417072027.GA38782@atrbg11.informatik.tu-muenchen.de>
	<3E9E6D34.5020100@ccrle.nec.de>
	<20030422083532.GB49848@atrbg11.informatik.tu-muenchen.de>
	<3EA508EB.5020906@ccrle.nec.de>
	<20030422093422.GE49848@atrbg11.informatik.tu-muenchen.de>
	<20030422131133.GI49848@atrbg11.informatik.tu-muenchen.de>
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
cc: freebsd-net@freebsd.org
Subject: Re: IPfilter changes?
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 22 Apr 2003 13:21:36 -0000


[...]
> Flushing the state stable (small): ipf -Fs 
> did help, but not always. I've issued this a couple
> of times, and suddenly it worked again. 

Ah, ok, So you are running out of state table entries...

> 
> Flushing all states: ipf -FS helped a lot. It works much longer
> than just flushing incomplete states. 
> However, ipfstat -s always shows:
> [..]
>         0 no memory
> [..]

That's OK, i.e. no out of memory problems within IP Filter.

Would be nice to see the "State table bucket statistics" output from the 
end of ipfstat -s.
Here are the limits for states compiled into IP FIlter (taken from 
ip_state.h):

#ifndef IPSTATE_SIZE
# define        IPSTATE_SIZE    5737
#endif
#ifndef IPSTATE_MAX
# define        IPSTATE_MAX     4013    /* Maximum number of states held */
#endif

Martin