Hi,
Sorry for asking something else again so soon, but in my previous
question, I received a link with a lot of useful information in regards
to PF (http://undeadly.org/cgi?action=article&sid=20060927091645).
However, one piece of information in that article could create an
important issue for us:
"Not all memory of the host is available to the kernel, and the way the
amount of physical RAM affects the amount available to the kernel
depends on architecture and kernel options and version. As of OpenBSD
3.6, an i386 kernel can use up to 256MB of memory. Prior to 3.6, that
limit was much lower for i386. You could have 8GB of RAM in your host,
and still pf would fail to allocate memory beyond a small fraction of
that amount."
I saw at other places that there were some patches for 3.x that made it
up to 768MB, and one other place that thought it was now default, but
didn't manage to find any concluding information on the current status
of this limitation. If it is still present, what's the current value and
is there any way to manipulate it? The firewall for which this system
will be used is a 4.3 i386 server, replacing an IPTables system, that
will manage hundreds of thousands of sessions, but most of them generate
little throughput, with answers that have around 20 bytes of payload.
We basically want to make sure that there will be sufficient memory to
scale our current and future session tracking needs, especially as this
service will increase in load.
Thanks again,
Steve Johnson