[prev in list] [next in list] [prev in thread] [next in thread] 

List:       openbsd-pf
Subject:    Re: pf state limitations/kernel memory utilization
From:       Daniel Hartmeier <daniel () benzedrine ! cx>
Date:       2002-07-26 12:27:15
[Download RAW message or body]

On 2002-07-26 3:23:27, Paul B. Henson wrote:

> thanks for the information. I currently have 1GB in the system, but plan to
> remove some as I believe that is more than I need and is actually
> decreasing the available kernel memory.
>
> I just wish I could find some way to determine the optimal amount of
> memory. Unfortunately, I guess kernel memory management is too complicated
> to have a simple formula indicating that for physical memory X you have
> available kernel memory Y.

There's no simple formula that I know of, but you can pretty easily find
the limit for a given setup. Set all state timeouts to high values, then
run a couple of concurrent nmap's through the firewall. Each invocation
will rather quickly use up 65k state entries. The panic occurs reliably
at a specific point.

I have a 320MB machine and the limit is beyond 256k states. If you
really need more states, I guess you could try 512MB. :)

Daniel

[prev in list] [next in list] [prev in thread] [next in thread]