On May 18, 2008, at 3:26 AM, Ian Smith wrote:
Hashed per flow, (srcip^destip^srcport^dstport) mod
curr_dyn_buckets, so
packets for both directions of a given flow hash to the same
bucket. In
the case you mention, you could likely expect reasonable
distribution by
src_ip/src_port.
On Fri, 16 May 2008, Vivek Khera wrote:
How are the buckets used? Are they hashed per rule number or some
other mechanism? Nearly all of my states are from the same rule (eg,
on a mail server for the SMTP port rule).
/sys/netinet/ip_fw.h
/sys/netinet/ip_fw2.c
Hashed per flow,
How are the buckets used? Are they hashed per rule number or some
other mechanism? Nearly all of my states are from the same rule (eg,
on a mail server for the SMTP port rule).
How should I scale the buckets with the max rules? The default seems
to be 4096 rules and 256 buckets. Should
Vivek Khera wrote:
I had a box run out of dynamic state space yesterday. I found I can
increase the number of dynamic rules by increasing the sysctl parameter
net.inet.ip.fw.dyn_max. I can't find, however, how this affects memory
usage on the system. Is it dyanamically allocated and
Andrey V. Elsukov wrote:
Vivek Khera wrote:
I had a box run out of dynamic state space yesterday. I found I can
increase the number of dynamic rules by increasing the sysctl
parameter net.inet.ip.fw.dyn_max. I can't find, however, how this
affects memory usage on the system. Is it
On May 15, 2008, at 6:03 AM, Bruce M. Simpson wrote:
Having said that the default tunable of 256 state entries is
probably quite low for use cases other than home/small office NAT
gateway.
The deafult on my systems seems to be 4096. My steady state on a
pretty popular web server is
On Thu, May 15, 2008 at 11:03:53AM +0100, Bruce M. Simpson wrote:
Andrey V. Elsukov wrote:
Vivek Khera wrote:
I had a box run out of dynamic state space yesterday. I found I can
increase the number of dynamic rules by increasing the sysctl parameter
net.inet.ip.fw.dyn_max. I can't find,
On Thu, 15 May 2008, Jeremy Chadwick wrote:
On Thu, May 15, 2008 at 11:03:53AM +0100, Bruce M. Simpson wrote:
Andrey V. Elsukov wrote:
Vivek Khera wrote:
I had a box run out of dynamic state space yesterday. I found I can
increase the number of dynamic rules by increasing the
Bruce M. Simpson wrote:
Got any figures for this? I took a quick glance and it looks like it
just uses a hash over dst/src/dport/sport. If there are a lot of raw IP
or ICMP flows then that's going to result in hash collisions.
It's my guess, i haven't any figures..
Yes, hash collisions will
I had a box run out of dynamic state space yesterday. I found I can
increase the number of dynamic rules by increasing the sysctl
parameter net.inet.ip.fw.dyn_max. I can't find, however, how this
affects memory usage on the system. Is it dyanamically allocated and
de-allocated, or is it
10 matches
Mail list logo