>From: Clifton Royston <[EMAIL PROTECTED]> >Date: Tue, 9 Nov 2004 09:27:33 -1000
>On Tue, Nov 09, 2004 at 06:17:25PM +0000, Gene ENonymous wrote: >> I never got a crystal clear answer to my original question about rule set >> size limits, > FWIW, I think Darren's message implied (though he didn't say) that >there is no hard-coded limit, and that the number of loadable rules >depends only on your available RAM. I finally know the answer for NetBSD with the kernel integrated ipf... The ipf/ipnat rules tables are malloc'd out of the kernal VM space. When that space gets exhausted, you get various messages that no more space for rules can be allocated (then you just start getting rule not exist messages too). The fix is to increase the kernel VM space allocation vm.nkmempages On my system the default was 4096 (I'm pretty sure this is in 512 byte blocks - which would imply 2M of VM pool) I reached a point where I wanted to load over 40,000 rules, and I ran out of VM (after about 30,000 rules). I customized my kernel (which reduced it in size from about 3M to ~1M) then I increased the vm.nkmempages to 8192 (4M I'm pretty sure) and I was able to load my giant rule-set with no issues. This was my first time to compile a kernel and all I can say is that it was super easy! First I compiled a GENERIC which was just to make sure the process worked as advertised (yeah it did). Then I took 3 attempts to get a fully functional small (MYSMALL) kernel. Then one more compile to increase the memmory. This was about a 3 hour exercise. References: ---------- Kernel Compile How-TO: http://www.netbsd.org/guide/en/chap-kernel.html Man Pages --------- options(4) - VM Related Options - options NKMEMPAGES=value sysctl(8) - to verify the VM pool increased in size
