On Fri, Mar 24, 2006 at 04:31:25PM -0500, yancm@sdf.lonestar.org wrote:
> I have been using ipf to block some large swaths of unwelcome
> address ranges for a while now.
> 
> My current (working) rule sets consist of about 85,000 mostly
> symmetric input and output rules for ~170,000 rules total.
> 
> This appears to occupy about 85MB of kernel memory, which is
> where ipf memory resides under NetBSD.
> 
> Question 1: The ascii files for these rules only occupy about 12-13MB.
> Is the 85MB number reflective of some sort of allocation error?
> (I would expect the in memory storage to be smaller since binary
> coding can be used?)

Not necesserely, because to be efficient the structure to store a rule
probably has to be fixed-size. This means, the structure to store a line
of rule will have space for much more informations than the line
actually has (e.g for a line "block in all", the structure will
have space to store interface name, source and IP addresses, protocol,
port number ranges, group id, TCP flags, etc ...).

> 
> Question 2: If I flush the rulesets, I do not seem to get this
> kernel memory back. How can I determine if this is a NetBSD kernel
> issue or an ipf issue?

Does ipf -D get it back ?

-- 
Manuel Bouyer <bouyer@antioche.eu.org>
     NetBSD: 26 ans d'experience feront toujours la difference
--