[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Max number of states in pf? (100k? 200k? 1M?)


 I don't have a good way to test generating large numbers
of states so I was wondering for a server with 2GB of memory
which all it does is pf how many states can it handle? I
started with the default of 10k, exausted that pretty quick,
then upped it to 32k about 3 weeks ago then exausted that,
upgraded it to 90k last night, and just now I see it hovering
at around 70k.

OpenBSD 3.7 with Intel Xeon 3.4Ghz CPU 2GB memory, 8 "em"
interfaces(only 1 of which is being used by pf at this
time for state info)

(though between the time I saw 70k states and about
2 minutes later it seems to have expired all but 3k
of them)

State Table                          Total             Rate
  current entries                     2786
  searches                     29837068755         5627.9/s
  inserts                        211072218           39.8/s
  removals                       211069432           39.8/s

I do have optimization set to conservative, considering
changing it back to normal. I am mostly concerned about
hitting some sort of magic internal kernel memory limit and
crashing the box. I don't know if there is such a limit,
from what I have read I can't find any evidence that there

Currently the boxes(running pfsync) are running at around
3-4% cpu usage.

set optimization conservative
set timeout { adaptive.start 50000, adaptive.end 92000 }
set limit states 90000

Can I run with 200k states? 500k ? 1M states? 'top' reads
1833MB of memory is available. The docs say that 32MB
is enough for ~30k states. so in theory memory wise at
least this box should be able to handle at least
1.6M states. Not that I plan to keep that much!

there are about 100 servers on the inside of the firewall and
about 250 on the outside(probably will double that in the
next 6 months or less).



Visit your host, monkey.org