> Seems our 3.5 firewall becomes totally unresponsive at around 50,000
> state table entries, despite a 200,00 state table limit. As soon as I
> clear the state table, the firewall immediately recovers. I've been told
> there is a patch or series of patches that can remedy this behavior. Are
> they in they in the -stable tree or, if not, which patches correct this
> behavior.
State table entries come from a special part of kernel memory that is
limited to 64meg on OpenBSD 3.5 and below (tedu@ is working magic on
this in current). You can calculate the maximum number of states you
have memory left for with:
$ cd /sys/arch/i386/compile/GENERIC
$ env DEBUG=-g make clean all
$ su
# gdb bsd.db
(gdb) target kcore /dev/mem
(gdb) p kmem_map->header.end - kmem_map->header.start - kmem_map->size
^ that will print the kmem_map memory you have left
(gdb) p pf_state_pl.pr_itemsperpage
^ that prints the number of states you can alloc per page
(gdb) p pool_allocator_kmem->pa_pagesz
^ and that is your machine's page size
(gdb) p ($1 / $3) * $2
^ and that is how many states you have memory left for if you used
everything for PF states.
That should give you an idea of your upper limit on the number of
states (make sure to leave enough memory for other things). Now look
into the adaptive.start and adaptive.end limits in the pf.conf man page
to start expiring states more quickly when you're approaching a full
state table.
.mike
