This...
struct pf_state {
u_int64_t id;
u_int32_t creatorid;
struct pf_state_host lan;
struct pf_state_host gwy;
struct pf_state_host ext;
sa_family_t af;
u_int8_t proto;
u_int8_t direction;
u_int8_t pad;
u_int8_t log;
u_int8_t allow_opts;
u_int8_t timeout;
u_int8_t sync_flags;
#define PFSTATE_NOSYNC 0x01
#define PFSTATE_FROMSYNC 0x02
#define PFSTATE_STALE 0x04
union {
struct {
RB_ENTRY(pf_state) entry_lan_ext;
RB_ENTRY(pf_state) entry_ext_gwy;
RB_ENTRY(pf_state) entry_id;
TAILQ_ENTRY(pf_state) entry_list;
struct pfi_kif *kif;
} s;
char ifname[IFNAMSIZ];
} u;
struct pf_state_peer src;
struct pf_state_peer dst;
union pf_rule_ptr rule;
union pf_rule_ptr anchor;
union pf_rule_ptr nat_rule;
struct pf_addr rt_addr;
struct pfi_kif *rt_kif;
struct pf_src_node *src_node;
struct pf_src_node *nat_src_node;
u_int64_t packets[2];
u_int64_t bytes[2];
u_int32_t creation;
u_int32_t expire;
u_int32_t pfsync_time;
u_int16_t tag;
};
Note the amount of included structs. For a full breakdown read:
http://www.openbsd.org/cgi-bin/cvsweb/src/sys/net/pfvar.h?rev=1.234&content-type=text/x-cvsweb-markup
--Bill
On 5/15/06, Peter Curran <[EMAIL PROTECTED]> wrote:
Thanks Holger
I thought I remembered seeing something about this in the past, but google
could not find it.
Interesting it is max 1K per state. I wonder what the factors are that
influence the size.
/peter
On Monday 15 May 2006 20:15, Holger Bauer wrote:
> Bill already answered this here:
> http://forum.pfsense.org/index.php?topic=1000.msg5953#msg5953
>
> Holger
>
> > -----Original Message-----
> > From: Peter Curran [mailto:[EMAIL PROTECTED]
> > Sent: Monday, May 15, 2006 8:54 PM
> > To: [email protected]
> > Subject: [pfSense Support] Maximum state table size
> >
> >
> > Can I ask Scott/Bill/Chris how big a state table I can reserve?
> >
> > We have just gone live with a pfsense pair on a pretty big
> > website. We are
> > pulling a pretty consistent load of 6-8 Mbps outbound and
> > running with a
> > steady 30-40K states, peaking to 50+.
> >
> > The boxes have 256MB of memory, so plenty of head-room.
> >
> > What is the maximum size that I can wind the 'Firewall
> > Maximum States'
> > variable up to? I am currently running with 70K states
> > defined, but would
> > like to go to at least 100K.
> >
> > Incidentally the site admin has reported a strange problem with state
> > management in the slave firewall: If you run out of states
> > on the slave you
> > can only get it to see an increase by rebooting. This does
> > not seem to be
> > the case on the master. This is probably a FreeBSD/pf issue,
> > rather than
> > pfsense but I thought you might like to know.
> >
> > This setup seems to be very smooth - I am seeing a consistent
> > 3.3 Mbps out of
> > the masters pfsync port and < 30% CPU load (2GHz Celeron with
> > 4 Gigabit
> > Ethernet ports). I have not tried polling yet, but will do
> > so if the CPU
> > load goes much higher.
> >
> > Be glad of any advice.
> >
> > Cheers
> >
> > /Peter
> >
> > --
> > This message has been scanned for viruses and
> > dangerous content by MailScanner, and is
> > believed to be clean.
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: [EMAIL PROTECTED]
> > For additional commands, e-mail: [EMAIL PROTECTED]
>
> ____________
> Virus checked by G DATA AntiVirusKit
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
