Andrey V. Elsukov wrote:
Vivek Khera wrote:
I had a box run out of dynamic state space yesterday. I found I can
increase the number of dynamic rules by increasing the sysctl
parameter net.inet.ip.fw.dyn_max. I can't find, however, how this
affects memory usage on the system. Is it dyanamically allocated and
de-allocated, or is it a static memory buffer?
Each dynamic rule allocated dynamically. Be careful, too many dynamic
rules will work very slow.
Got any figures for this? I took a quick glance and it looks like it
just uses a hash over dst/src/dport/sport. If there are a lot of raw IP
or ICMP flows then that's going to result in hash collisions.
It might be a good project for someone to optimize if it isn't scaling
for folk. "Bloomier" filters are probably worth a look -- bloom filters
are a class of probabilistic hash which may return a false positive,
"bloomier" filters are a refinement which tries to limit the false
positives.
Having said that the default tunable of 256 state entries is probably
quite low for use cases other than "home/small office NAT gateway".
cheers
BMS
_______________________________________________
[email protected] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
