> From: Daniel Hartmeier (danielbenzedrine.cx)
> Date: Wed Dec 12 2001 - 08:31:08 CST
>
> On Wed, Dec 12, 2001 at 03:08:37PM +0100, Nicolas Prochazka wrote:
>
> > With OpenBSD 2.9 and ipf , our internet connexion was down due to a
ip state
> > overflow. (the default IPSTATE_SIZE was near 4000) and we increase
to 7069
> > to solve the problem.) but perharps is not the same issue with
openbsd 3 +
> > pf ?
>
> pf uses a binary search tree instead of a hash table, which doesn't
require
> pre-defining a maximum size. The tree will just grow until memory
allocation
> fails. With 64MB RAM that typically doesn't happen until you have over
> 60000 state entries.
>
> Daniel
I have been doing some research and I came across this message from some
time ago. Is this still relevant?
If so, can anyone tell me if the PF binary search tree is more or less
memory efficient than the ipfilter hash table?
What is the fallout if PF cannot allocate anymore memory for the binary
search tree? Does it drop connections or puke all over?
I am trying to convince my current employer to move away from ipfilter
and over to PF. Any assistance would be appreciated.
Breeno
