Date: Mon, 12 Nov 2012 20:23:18 -0600 From: Dan Nelson <dnelson@allantgroup.com> To: Darrel <levitch@iglou.com> Cc: current@freebsd.org Subject: Re: Too many dynamic rules Message-ID: <20121113022318.GE20857@dan.emsphone.com> In-Reply-To: <alpine.GSO.2.00.1211121835130.23406@shell1> References: <alpine.GSO.2.00.1211121835130.23406@shell1>
next in thread | previous in thread | raw e-mail | index | archive | help
In the last episode (Nov 12), Darrel said: > Hello, > > Today I booted r242670 from the console and noticed an error. This > is one line from the end of dmesg: > > ipfw: ipfw_install_state: Too many dynamic rules > > The ruleset has always been dynamic and has no additional rules. > Search engines produced similar error messages, but no information > that seems to be the correct solution. > > I have a basically identical ruleset on fbsd91 and no error message. That means that the dynamic rules generated by the keep-state keyword hit the currently-confgured limit. If you get hit with a lot of random traffic that matches a keep-state rule, you'll get that message. It's not the rules themselves that cause this, it's the traffic. Run "sysctl net.inet.ip.fw.dyn_max net.inet.ip.fw.dyn_count" and compare the two values. If count is near to dyn_max, you can simply raise dyn_max. It's a writeable sysctl. I set it to 65535 on my systems in /etc/sysctl.conf with no apparent ill effects. -- Dan Nelson dnelson@allantgroup.com
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20121113022318.GE20857>