I have been using ipf to block some large swaths of unwelcome address ranges for a while now.
My current (working) rule sets consist of about 85,000 mostly symmetric input and output rules for ~170,000 rules total. This appears to occupy about 85MB of kernel memory, which is where ipf memory resides under NetBSD. Question 1: The ascii files for these rules only occupy about 12-13MB. Is the 85MB number reflective of some sort of allocation error? (I would expect the in memory storage to be smaller since binary coding can be used?) Question 2: If I flush the rulesets, I do not seem to get this kernel memory back. How can I determine if this is a NetBSD kernel issue or an ipf issue? NetBSD 2.1_Stable, # ipf -V ipf: IP Filter: v4.1.3 (396) Kernel: IP Filter: v4.1.3 [I'm manually cross posting this querry to the [EMAIL PROTECTED] and ipf mailing lists. If I make progress, I will send a summary to both]
