Re: Max number of states in pf? (100k? 200k? 1M?)
Ted Unangst said: states are only allocated on demand. you could set the limit to a billion with no problem until you actually start using too many states. the limit is there to protect you from the firewall imploding. thanks for all the info, very useful! hopefully such info can get added to the docs at some point, since others have contacted me as well asking similar questions. thanks a lot(again) nate
Re: Max number of states in pf? (100k? 200k? 1M?)
On Fri, 23 Sep 2005, nate wrote: ok thats the kind of info I wanted to hear, so kernel space can go up to ~300MB ? is this a tunable paramter anywhere or is it hard coded? it is actually 768MB on i386, but you can't use anywhere close to all of it for pf states. it is hard coded. is this a low memory vs high memory thing? if so is there a good way to monitor low memory on openbsd? I tried doing some google searches and all I found was people running out of memory. there is no way i know of to monitor it. what matters is not memory, but address space. also one last Q - when you allocate memory for states in the pf config, say I allocate for 200k states does that allocation happen when the config is loaded or is it dynamic? Just wondering if I do exceed the limit should I expect it to misbehave immediately upon reload(even if it isn't holding that many states) or not until it actually hits the state limit. states are only allocated on demand. you could set the limit to a billion with no problem until you actually start using too many states. the limit is there to protect you from the firewall imploding. -- And that's why your software sucks.
Max number of states in pf? (100k? 200k? 1M?)
Greetings
I don't have a good way to test generating large numbers
of states so I was wondering for a server with 2GB of memory
which all it does is pf how many states can it handle? I
started with the default of 10k, exausted that pretty quick,
then upped it to 32k about 3 weeks ago then exausted that,
upgraded it to 90k last night, and just now I see it hovering
at around 70k.
OpenBSD 3.7 with Intel Xeon 3.4Ghz CPU 2GB memory, 8 em
interfaces(only 1 of which is being used by pf at this
time for state info)
(though between the time I saw 70k states and about
2 minutes later it seems to have expired all but 3k
of them)
State Table Total Rate
current entries 2786
searches 29837068755 5627.9/s
inserts211072218 39.8/s
removals 211069432 39.8/s
I do have optimization set to conservative, considering
changing it back to normal. I am mostly concerned about
hitting some sort of magic internal kernel memory limit and
crashing the box. I don't know if there is such a limit,
from what I have read I can't find any evidence that there
is.
Currently the boxes(running pfsync) are running at around
3-4% cpu usage.
running:
set optimization conservative
set timeout { adaptive.start 5, adaptive.end 92000 }
set limit states 9
Can I run with 200k states? 500k ? 1M states? 'top' reads
1833MB of memory is available. The docs say that 32MB
is enough for ~30k states. so in theory memory wise at
least this box should be able to handle at least
1.6M states. Not that I plan to keep that much!
there are about 100 servers on the inside of the firewall and
about 250 on the outside(probably will double that in the
next 6 months or less).
thanks
nate
Re: Max number of states in pf? (100k? 200k? 1M?)
On Thu, 22 Sep 2005, nate wrote: Can I run with 200k states? 500k ? 1M states? 'top' reads 1833MB of memory is available. The docs say that 32MB is enough for ~30k states. so in theory memory wise at least this box should be able to handle at least 1.6M states. Not that I plan to keep that much! if it's 1k states per MB RAM, you're into trouble at 300k. the kernel only has so much space to play in. -- And that's why I always keep a bottle of acid handy at my bedside.
Re: Max number of states in pf? (100k? 200k? 1M?)
Well,
I'm running a similar setup, only Xeon 2.4 dual and running with 300k
states, the info so far is:
State Table Total Rate
current entries89976
searches 2049646948754332.6/s
inserts 98362130 260.7/s
removals98272154 260.5/s
load averages: 0.87, 0.64,
0.52 00:22:32
39 processes: 38 idle, 1 on processor
CPU states: 0.0% user, 0.0% nice, 0.0% system, 0.0% interrupt, 100%
idle
Memory: Real: 19M/234M act/tot Free: 1780M Swap: 0K/2048M used/tot
That load seems to be coming from some cron jobs, since it was around
0.2/0.3 some days ago.
HTH,
Vinicius
nate wrote:
Greetings
I don't have a good way to test generating large numbers
of states so I was wondering for a server with 2GB of memory
which all it does is pf how many states can it handle? I
started with the default of 10k, exausted that pretty quick,
then upped it to 32k about 3 weeks ago then exausted that,
upgraded it to 90k last night, and just now I see it hovering
at around 70k.
OpenBSD 3.7 with Intel Xeon 3.4Ghz CPU 2GB memory, 8 em
interfaces(only 1 of which is being used by pf at this
time for state info)
(though between the time I saw 70k states and about
2 minutes later it seems to have expired all but 3k
of them)
State Table Total Rate
current entries 2786
searches 29837068755 5627.9/s
inserts211072218 39.8/s
removals 211069432 39.8/s
I do have optimization set to conservative, considering
changing it back to normal. I am mostly concerned about
hitting some sort of magic internal kernel memory limit and
crashing the box. I don't know if there is such a limit,
from what I have read I can't find any evidence that there
is.
Currently the boxes(running pfsync) are running at around
3-4% cpu usage.
running:
set optimization conservative
set timeout { adaptive.start 5, adaptive.end 92000 }
set limit states 9
Can I run with 200k states? 500k ? 1M states? 'top' reads
1833MB of memory is available. The docs say that 32MB
is enough for ~30k states. so in theory memory wise at
least this box should be able to handle at least
1.6M states. Not that I plan to keep that much!
there are about 100 servers on the inside of the firewall and
about 250 on the outside(probably will double that in the
next 6 months or less).
thanks
nate
Re: Max number of states in pf? (100k? 200k? 1M?)
On 9/22/05, nate [EMAIL PROTECTED] wrote: Greetings I don't have a good way to test generating large numbers of states so I was wondering for a server with 2GB of memory which all it does is pf how many states can it handle? I started with the default of 10k, exausted that pretty quick, then upped it to 32k about 3 weeks ago then exausted that, upgraded it to 90k last night, and just now I see it hovering at around 70k. OpenBSD 3.7 with Intel Xeon 3.4Ghz CPU 2GB memory, 8 em interfaces(only 1 of which is being used by pf at this time for state info) Been wondering what the max states are myself. I've got a 3.7 firewall box set up that's currently routing around 20-30Mb/s (with a pps rate of round 2.5 -3k), and I've seen state table entries over 100k a couple of times. I went ahead and set my limit at 200k, and we've not yet approached that, so I'm just watching it to see if I need to up it some more. As far as general resources, the box itself is bored silly. I especially like that the interrupts have consistently stayed at zero (though I'll admit it's got good I/O - Gigabit Ethernet cards installed in 133Mhz PCI-X slots, which is really the only way to go). State Table Total Rate current entries85143 searches 23873195139 6541.3/s inserts393193087 107.7/s removals 393107944 107.7/s load averages: 0.09, 0.11, 0.08 22:54:30 36 processes: 35 idle, 1 on processor CPU states: 0.0% user, 0.0% nice, 0.2% system, 0.0% interrupt, 99.8% idle Memory: Real: 17M/151M act/tot Free: 853M Swap: 0K/2048M used/tot No worries so far.
