Subject: Large ipf Rule Sets - Memory Usage and NetBSD 2.1_Stable
To: None <firstname.lastname@example.org>
From: None <email@example.com>
Date: 03/24/2006 16:31:25
I have been using ipf to block some large swaths of unwelcome
address ranges for a while now.
My current (working) rule sets consist of about 85,000 mostly
symmetric input and output rules for ~170,000 rules total.
This appears to occupy about 85MB of kernel memory, which is
where ipf memory resides under NetBSD.
Question 1: The ascii files for these rules only occupy about 12-13MB.
Is the 85MB number reflective of some sort of allocation error?
(I would expect the in memory storage to be smaller since binary
coding can be used?)
Question 2: If I flush the rulesets, I do not seem to get this
kernel memory back. How can I determine if this is a NetBSD kernel
issue or an ipf issue?
# ipf -V
ipf: IP Filter: v4.1.3 (396)
Kernel: IP Filter: v4.1.3
[I'm manually cross posting this querry to the tech-net@netbsd
and ipf mailing lists.
If I make progress, I will send a summary to both]