[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: problem with keep state limit
On Tue, Dec 05, 2000 at 01:29:29PM +0100, Jirásek Vladimír wrote:
> Hello,
>
> I have version OpenBSD xxx 2.7 compile#0 i386, with ipf -V
> ipf: IP Filter: v3.3.16 (184)
> Kernel: IP Filter: v3.3.16
>
> I have about 5 systems behind firewall and I use 4 ipf rules with keep state
> like
> pass in quick on xxxx proto tcp from any to IP flags S/SA keep state
>
> The fifth server is very loaded (100 incoming TCP sessions per second -
> email server) and when I changed rule to also use keep state, openBSD
> started send ICMP host IP unreachable to the Internet users, passing only
> some traffic (like shaping). ipfstat -s shows that there are abou 2000
> concurent TCP sessions. Is too much?
Yes, you have way more traffic than the default state table size(s)
can manage.
You can change the state table size by tweaking IPSTATE_SIZE and
IPSTATE_MAX in /usr/src/sys/netinet/ip_state.h.
IPSTATE_SIZE is the size of the hash table used to store
states. IPSTATE_MAX is the maximum number of states held in this hash
table.
The rules are :
IPSTATE_SIZE is a prime
IPSTATE_MAX ~= 0.7 * IPSTATE_SIZE
(yes in 3.3.16, max > size, but that's wrong)
You will have to estimate your average TCP session duration and adjust
these two knobs accordingly. For example, for an average of 1 minute
per TCP session, and 100 sessions per second, I would use max = 7200
(100*60+20%) and size = the next prime after 7200/0.7.
--
Rémi