Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 5 May 1999 00:25:23 -0700 (PDT)
From:      Matthew Dillon <dillon@apollo.backplane.com>
To:        Peter Jeremy <peter.jeremy@auss2.alcatel.com.au>
Cc:        freebsd-current@FreeBSD.ORG
Subject:   Re: Any action on PR 10570 ? getting closer to 65K :-(
Message-ID:  <199905050725.AAA22417@apollo.backplane.com>
References:   <99May5.130937est.40393@border.alcanet.com.au>
next in thread | previous in thread | raw e-mail | index | archive | help 
:Matthew Dillon <dillon@apollo.backplane.com> wrote:
:> I think the worst case you might see is on the order of 50,000 or so
:> route entries. ...
:> It take a phenominally stupid network setup to create more
:> then that.
:With Path MTU Discovery (which is on by default), you effectively
:create a distict route for every host.  Currently, routes appear to
:take ~20 minutes to expire.  It seems perfectly reasonable for a big
:FTP or WWW server to see 50,000 different hosts in this period.  This
:is getting fairly close to the 64K possible entries.

    The expiration is dynamically tuned based on the creation rate.
    If you bump up the number of tcp connections being made, the route
    timeout will drop until it hits the net.inet.ip.rtminexpire sysctl
    value, which defaults to 10 seconds.  You should never see more then
    a few thousand such routes.  In extreme cases, you might have to reduce
    net.inet.ip.rtexpire from 10 seconds to something smaller, such as 2
    seconds.

    For example, a web server getting 100 hits/sec will, with default
    sysctl values, maintain approximately 1000 temporary routes in the
    route table.

    In fact, I had to commit a fix to the dynamic control of the rtexpire
    variable last year to prevent sudden ramp-ups from blowing away the
    kernel memory pool because it wasn't reducing net.inet.ip.rtexpire
    quickly enough.   Otherwise IP spoofing attacks that randomized the
    source address could take down the machine by overloading the route
    table and running the kernel out of memory.

					-Matt
					Matthew Dillon 
					<dillon@backplane.com>



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-current" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199905050725.AAA22417>