I've finally gotten around to setting up 3.3 on a test system and hopefully
soon will deploy it in production.
At an operating system level, version 3.3 seems to have improved kernel
memory management. My system has 512 MB of RAM. Under 3.1, I was unable to
increase NMBCLUSTERS past 4096 without panicking the system at boot, nor
was I able to increase NKMEMPAGES over the default maximum, allowing only
100,000 active states. We did occasionally get mclpool limit errors, so it
was annoying not to be able to increase the allocation. Our active states
are usually between 40-50 thousand, so the state limit was not too big of a
deal, although occasionally we would hit the maximum during high load or
denial of service attacks.
With 3.3, I was able to set NMBCLUSTERS to 16384 with no problems, as well
as increase NKMEMPAGES to twice the default. During testing, I hit 400,000
states with no issues. I could have probably gone higher but I became bored
of waiting for the states to be generated ;)...
As for pf, the first thing I did was incorporate a local change into the
parser allowing for embedded comments within strings. I believe the
accepted way to accomplish this is via string concatenation, but I find
that aesthetically displeasing and involving far too many " characters.
The main new feature I found myself availing of was tables. They allowed me
to dramatically decrease the size of my rule set, as well as make it far
less complex and easier to maintain. It is probably considerably more
efficient as well.
My one quibble with tables again involves the parser. I am fond of embedded
comments for documentation purposes, and found it annoying that tables
declared in place had to be on the same logical line and allowed no
comments within the table definition. I really would have liked to do
something like:
table <foo> { 1.3.4.5 # blah
5.5.7.8 # bluh
3.5.8.9 # bleh
}
Fortunately, tables defined via an external file allow this type of in line
comments, and most of my tables were fairly large so I went ahead and
defined them in separate files. However, for smaller tables defined in
place, this type of commenting would be useful.
Kudos to all of the pf developers. I really appreciate your work...
I'm hoping the next time I upgrade I'll find production ready stateful load
balancing/failover :).
--
Paul B. Henson | (909) 979-6361 | http://www.csupomona.edu/~henson/
Operating Systems and Network Analyst | [EMAIL PROTECTED]
California State Polytechnic University | Pomona CA 91768
