Yes, that looks quite bad indeed:
IP states added:
47336 TCP
71300 UDP
11 ICMP
10689913 hits
229313 misses
25791 maximum
0 no memory
4013 active
0 expired
0 closed
State logging enabled
I wish those things were syslogged in kernel.critical! I've had some
hardware issues previously with similar symptoms, I thought they were
repeating, and went replacing my NICs :-/
Well, now, for the bonus question:
How do I change those values?
I tried this:
ipf -D -T fr_statemax=7000,fr_statesize=10009 -E
It changes the value, but also disables ipfilter, which stays this way
until I run svcadm restart ipfilter. Then it restarts, but the value is
reset to the default again.
So I need a way to have the value set on boot - how to do that?
Laurent
Le 05/01/10 05:33, Frank a écrit :
Hi,
On my FreeBSD system running IP Filter 4.1.28 ipfstat -s provides the
information you need. I'm not sure it does this on Solaris as well, but
I assume so.
In the statistics below, "bucket full", "maximum" and "no memory"
counters are good indications that you need to redimension your system :-)
Regards,
Frank
drawbridge# ipfstat -s
IP states added:
56825 TCP
163700 UDP
4079 ICMP
37401600 hits
86301233 misses
0 bucket full
0 maximum rule references
0 maximum
0 no memory
93 bkts in use
98 active
171844 expired
56727 closed
State logging enabled
State table bucket statistics:
93 in use
94% hash efficiency
1.62% bucket usage
0 minimal length
2 maximal length
1.054 average length
TCP Entries per state
0 1 2 3 4 5 6 7 8 9 10 11
0 0 0 0 87 0 0 0 0 0 9 2
drawbridge#
Laurent Blume wrote:
My feeling is more and more that somehow, ipfilter resources are
exhausted and there is no warning about it.
So the question is: how to track those resources use against the maximum
value, and know when adjustments are in order?
Would it be possible to have that information in the stats (eg, In use:
9999 out of 10000)? Any "official" way to do so? docs.sun.com doesn't
seem to contain much about this.
Thanks,
Laurent
Le 02/01/10 17:37, Laurent Blume a écrit :
Hi all,
I'm on a recently patched Solaris 10 U8 x86. Since a few weeks back (Dec
24th from the logs), every night, ipfilter starts dropping all packets.
Of course, perfectly valid rules that have been working for years allow
them, and there has been no change in them for months.
Unfortunately, the system is remote, so from my point of view, it just
drops off the network. However, I had someone locally check that it's
still running normally. The logs show the same.
I'm trying to check if there's not a shortage of state buckets, but I'm
a bit unsure here where to look.
I know those system tunables for S10:
set ipf:fr_statemax = 7000
set ipf:fr_statesize = 10009
set ipf:ipf_nattable_sz = 10009
However, where to check how much of those are actually used? ipfstat -s
and ipnat -s probably show them, but *which* value exactly matches those?
--
/ Leader de Projet & Communauté | I'm currently on leave from
\ G11N http://fr.opensolaris.org | Bull Services http://www.bull.com
/ FOSUG http://guses.org |