how much memory does increasing max rules for IPFW take up?
Bruce M. Simpson
bms at FreeBSD.org
Thu May 15 10:19:21 UTC 2008
Andrey V. Elsukov wrote:
> Vivek Khera wrote:
>> I had a box run out of dynamic state space yesterday. I found I can
>> increase the number of dynamic rules by increasing the sysctl
>> parameter net.inet.ip.fw.dyn_max. I can't find, however, how this
>> affects memory usage on the system. Is it dyanamically allocated and
>> de-allocated, or is it a static memory buffer?
>
> Each dynamic rule allocated dynamically. Be careful, too many dynamic
> rules will work very slow.
Got any figures for this? I took a quick glance and it looks like it
just uses a hash over dst/src/dport/sport. If there are a lot of raw IP
or ICMP flows then that's going to result in hash collisions.
It might be a good project for someone to optimize if it isn't scaling
for folk. "Bloomier" filters are probably worth a look -- bloom filters
are a class of probabilistic hash which may return a false positive,
"bloomier" filters are a refinement which tries to limit the false
positives.
Having said that the default tunable of 256 state entries is probably
quite low for use cases other than "home/small office NAT gateway".
cheers
BMS
More information about the freebsd-ipfw
mailing list