ipfilter bucket full

To: <netbsd-users%NetBSD.org@localhost>
Subject: ipfilter bucket full
From: Peter Eisch <peisch%gmail.com@localhost>
Date: Fri, 07 Sep 2012 09:34:23 -0500

Hi,

I have a 5.1 system which is increasing the bucket full counter from the
moment the system boots.  I've engineered around these situations which
creep in over the years by tuning compile-time options.  The values in the
current kernel are:

include "arch/i386/conf/GENERIC"
...
options IPSTATE_SIZE=92111
options IPSTATE_MAX=64433

options NAT_SIZE=2047
options RDR_SIZE=2047
options HOSTMAP_SIZE=8191
options NAT_TABLE_MAX=180000
options NAT_TABLE_SZ=16383
...

The system is busy working as a firewall, but not busy enough to justify
increasing the bucket full counter.  I have busier systems running the same
kernel (with more ipf.conf rules) without issue.

I need help investigating how to resolve this.  Ideas?  (I'm happy to offer
my ipf.conf and all other such, but not in the clear publically.)

peter




mouse# uptime
 9:52PM  up 21 mins, 2 users, load averages: 0.00, 0.00, 0.00
mouse# ipfstat -s
IP states added:
        1376 TCP
        4110 UDP
        3 ICMP
        164740 hits
        1389648 misses
        1076 bucket full
        0 maximum rule references
        0 maximum
        0 no memory
        746 bkts in use
        780 active
        4204 expired
        925 closed
State logging enabled

State table bucket statistics:
        746 in use 
        95% hash efficiency
        0.81% bucket usage
        0 minimal length
        13 maximal length
        1.046 average length

TCP Entries per state
     0     1     2     3     4     5     6     7     8     9    10    11
     0    42     0    20   269     2    10     0     0     0    62    46

[jump ahead 11 hours]

mouse# uptime
 9:27AM  up 11:55, 4 users, load averages: 0.03, 0.01, 0.00
mouse# ipfstat -s
IP states added:
        140634 TCP
        476541 UDP
        89 ICMP
        89025470 hits
        267052078 misses
        1289 bucket full
        0 maximum rule references
        0 maximum
        0 no memory
        3955 bkts in use
        4115 active
        494859 expired
        137220 closed
State logging enabled

State table bucket statistics:
        3955 in use
        96% hash efficiency
        4.29% bucket usage
        0 minimal length
        13 maximal length
        1.040 average length

TCP Entries per state
     0     1     2     3     4     5     6     7     8     9    10    11
     3    18    18     4  2305   122    95     0     0     0   622   227
mouse#

Prev by Date: Re: pkgin
Next by Date: Problem with NetBSd 5.1.2 / gethostbyname / nsswitch.conf or bind resolving chain of multiple cnames
Previous by Thread: pkgin
Next by Thread: Problem with NetBSd 5.1.2 / gethostbyname / nsswitch.conf or bind resolving chain of multiple cnames
Indexes:

Home | Main Index | Thread Index | Old Index