Subject: Re: IPFilter practical limits?
To: Darren Reed <darrenr@NetBSD.org>
From: Patrick Welche <firstname.lastname@example.org>
Date: 02/27/2007 16:11:28
On Tue, Feb 27, 2007 at 03:50:03PM +0000, Darren Reed wrote:
> On Sat, Feb 17, 2007 at 06:46:19PM +0000, Patrick Welche wrote:
> > On Mon, Mar 27, 2006 at 09:47:14PM +0000, Darren Reed wrote:
> > > When the limits are reached, you'll see a non-zero number next to the
> > > line with "maximum" in it from running "ipfstat -s".
> > If you do see a number next to the line with "maximum" (as I have just
> > witnessed on our last "network is slow" session) what can you do about
> > it?
> You need to increase the hash table size.
> IPSTATE_SIZE and IPSTATE_MAX are what need to be increased.
> If you're building your own kernel, /sys/dist/ipf/netinet/ip_state.h
> is the file to change.
ipf -T fr_statemax=...,fr_statesize=...
equivalent? And should I worry about non-zero "max bucket" ? e.g.:
IP states added:
0 no memory
3 max bucket
0 no memory
15749 bkts in use
State logging enabled
State table bucket statistics:
15749 in use
31.48% bucket usage
0 minimal length
7 maximal length
1.393 average length