In some mail from [EMAIL PROTECTED], sie said: ... > I have been trying to use larger filter rule sets and have run into the > limits of my hardware. This prompted me to study the issue in a bit more > detail. > > I'm running NetBSD 2.1_Stable with ifp 4.1.3 (old I know, but has the > rules memory overhead changed since then?). I currently have 256M ram and > could conceivably get to 384MB, but no more with my present machine. > > I loaded several groups of 10,000 filter rules and observed memory usage. > > I observed that 10,000 rules consume on average 7.5 MB of > kernel temp memory pool or ~780 Bytes/rule. > > In ascii format, 10,000 rules only consume about 750 kB or ~77 Bytes/rule. > > I would expect that the rules themselves are stored in some coded > format and so should consume less storage than ascii, not more. > > I have tried looking at the frentry struct definition. If that gets > created for every rule, I begin to understand why the overhead is so high. > > Key Questions: > 1) Does an overhead figure of 750 kB seem about right as a per rule > overhead figure for filter rule storage?
I think you mean "750 bytes", not "750kB" ? Or something else? > 2) Is there anything simple that can be done to reduce this overhead? > Or is the implementation dependent on this scheme? The data structure used to contain rules has provision in it for holding a single rule that specifies many fields that are often blank. For example, every kernel rule structure has in it room for a group name and a group-head name, as well as pointers to go with them. There is also provision for 4 interface names, and their pointers for stateful filtering. Is this potentially wasteful of memory ? Yes. But I believe it makes handling the data structures much easier and less prone to error, so I think it is worth it. Darren
