[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

ipf state table limit

To: misc@openbsd.org
Subject: ipf state table limit
From: Christian Lecompte <cl@deij.com>
Date: Mon, 15 Jan 2001 17:54:28 -0500

I'm running OpenBSD 2.7 with the ipf patched version 3.3.16 (184) on x86
hardware. The machine is the main router in the installation. My
firewall uses a lot of "keep state" rules. ex: NAT, pop, www, smtp, ssh,
...

I'm having some trouble sometimes maybe once a day (never at the same
time) i'm getting dest unreach all over the place. After a "ipf -FS"
everything goes back to normal. 

I read the archives and stopped at this post: 

http://www.geocrawler.com/archives/3/256/2000/12/0/4787749/

Message: 4787749
    FROM: pobox.com
    DATE: 12/06/2000 18:52:05
    SUBJECT: RE:  problem with keep state limit
     
    On Tue, Dec 05, 2000 at 01:29:29PM +0100, Jirásek Vladimír wrote:
    > Hello,
    > 
    > I have version OpenBSD xxx 2.7 compile#0 i386, with ipf -V      
    > ipf: IP Filter: v3.3.16 (184)
    > Kernel: IP Filter: v3.3.16
    > 
    > I have about 5 systems behind firewall and I use 4 ipf rules with
keep state
    > like
    > pass in quick on xxxx proto tcp from any to IP flags S/SA keep
state
    > 
    > The fifth server is very loaded (100 incoming TCP sessions per
second -
    > email server) and when I changed rule to also use keep state,
openBSD
    > started send ICMP host IP unreachable to the Internet users,
passing only
    > some traffic (like shaping). ipfstat -s shows that there are abou
2000
    > concurent TCP sessions. Is too much?

    Yes, you have way more traffic than the default state table size(s)
    can manage.

    You can change the state table size by tweaking IPSTATE_SIZE and
    IPSTATE_MAX in /usr/src/sys/netinet/ip_state.h.
    IPSTATE_SIZE is the size of the hash table used to store
    states. IPSTATE_MAX is the maximum number of states held in this
hash
    table.

    The rules are :
            IPSTATE_SIZE is a prime
            IPSTATE_MAX ~= 0.7 * IPSTATE_SIZE
    (yes in 3.3.16, max > size, but that's wrong)

    You will have to estimate your average TCP session duration and
adjust
    these two knobs accordingly. For example, for an average of 1 minute
    per TCP session, and 100 sessions per second, I would use max = 7200
    (100*60+20%) and size = the next prime after 7200/0.7.



So far i figure that my state table is too small for my usage.

Here are my questions: 

Is this information accurate? Is this a problem with 2.7? I'm planning
an upgrade for 2.8, would i have the same problem ? 

I'm no coder and especially no mathematician so i figure i would have to
calculate this for approx: 2000 pkts/sec.

any suggestions would be appreciated.


Christian Lecompte

Prev by Date: Re: bash shell
Next by Date: Re: bash shell
Prev by thread: Re: obsd<->linux IKE interop. question
Next by thread: 2.8 boot floppy hangs
Index(es):
- Date
- Thread