Subject: Re: Large ipf Rule Sets - Memory Usage and NetBSD 2.1_Stable
To: Manuel Bouyer <bouyer@antioche.eu.org>
From: None <yancm@sdf.lonestar.org>
List: tech-net
Date: 03/26/2006 07:56:40
> On Fri, Mar 24, 2006 at 04:31:25PM -0500, yancm@sdf.lonestar.org wrote:
>>
>> Question 2: If I flush the rulesets, I do not seem to get this
>> kernel memory back. How can I determine if this is a NetBSD kernel
>> issue or an ipf issue?
>
> Does ipf -D get it back ?
>

No. AFAICT. Is there a better way to look at memory usage?
I'm using 'systat vmstat'...

Before ipf -D:
          memory totals (in kB)
         real   virtual    free
Active  45108    111896    9084
All    245296    312084  204948

After ipf -D:
          memory totals (in kB)
         real   virtual    free
Active  45196    111316    9028
All    245352    311472  205560

And as I try to reload my ruleset after ipf -E...
behavior is improved...post load I get:

          memory totals (in kB)
         real   virtual    free
Active  33748    107372   22068
All    232312    305936  211096

In the past this would have driven the active real memory to
a small number and then effectively ground to a halt.

Then after I reload my *nat* rules (it surprised me a little that
nat got flushed too...it's easy to think of ipnat and ipf as seperate
programs which they are not):

          memory totals (in kB)
         real   virtual    free
Active  43976    116792    7140
All    247240    320056  196976

If you give me suggestions to investigate, I'll be glad to
try stuff... Thanks!