On May 18, 2008, at 3:26 AM, Ian Smith wrote:
Hashed per flow, (srcip^destip^srcport^dstport) mod
curr_dyn_buckets, so
packets for both directions of a given flow hash to the same
bucket. In
the case you mention, you could likely expect reasonable
distribution by
src_ip/src_port.
Thank
On Fri, 16 May 2008, Vivek Khera wrote:
> How are the buckets used? Are they hashed per rule number or some
> other mechanism? Nearly all of my states are from the same rule (eg,
> on a mail server for the SMTP port rule).
/sys/netinet/ip_fw.h
/sys/netinet/ip_fw2.c
Hashed per flow, (src
How are the buckets used? Are they hashed per rule number or some
other mechanism? Nearly all of my states are from the same rule (eg,
on a mail server for the SMTP port rule).
How should I scale the buckets with the max rules? The default seems
to be 4096 rules and 256 buckets. Should
Bruce M. Simpson wrote:
Got any figures for this? I took a quick glance and it looks like it
just uses a hash over dst/src/dport/sport. If there are a lot of raw IP
or ICMP flows then that's going to result in hash collisions.
It's my guess, i haven't any figures..
Yes, hash collisions will tr
On Thu, 15 May 2008, Jeremy Chadwick wrote:
> On Thu, May 15, 2008 at 11:03:53AM +0100, Bruce M. Simpson wrote:
> > Andrey V. Elsukov wrote:
> >> Vivek Khera wrote:
> >>> I had a box run out of dynamic state space yesterday. I found I can
> >>> increase the number of dynamic rules by increas
On Thu, May 15, 2008 at 11:03:53AM +0100, Bruce M. Simpson wrote:
> Andrey V. Elsukov wrote:
>> Vivek Khera wrote:
>>> I had a box run out of dynamic state space yesterday. I found I can
>>> increase the number of dynamic rules by increasing the sysctl parameter
>>> net.inet.ip.fw.dyn_max. I ca
On May 15, 2008, at 6:03 AM, Bruce M. Simpson wrote:
Having said that the default tunable of 256 state entries is
probably quite low for use cases other than "home/small office NAT
gateway".
The deafult on my systems seems to be 4096. My steady state on a
pretty popular web server is ab
Andrey V. Elsukov wrote:
Vivek Khera wrote:
I had a box run out of dynamic state space yesterday. I found I can
increase the number of dynamic rules by increasing the sysctl
parameter net.inet.ip.fw.dyn_max. I can't find, however, how this
affects memory usage on the system. Is it dyanamica
Vivek Khera wrote:
I had a box run out of dynamic state space yesterday. I found I can
increase the number of dynamic rules by increasing the sysctl parameter
net.inet.ip.fw.dyn_max. I can't find, however, how this affects memory
usage on the system. Is it dyanamically allocated and de-alloc
