[ Charset ISO-8859-1 unsupported, converting... ] > I have been using ipf to block some large swaths of unwelcome > address ranges for a while now. > > My current (working) rule sets consist of about 85,000 mostly > symmetric input and output rules for ~170,000 rules total.
Would using ippool to define address pools for use in rules allow you to have fewer rules? > This appears to occupy about 85MB of kernel memory, which is > where ipf memory resides under NetBSD. > > Question 1: The ascii files for these rules only occupy about 12-13MB. Is > the 85MB number reflective of some sort of allocation error? > (I would expect the in memory storage to be smaller since binary > coding can be used?) Unfortunately it's not like that. For example, the kernel objects used to store interface names provides for upto 16 characters, even if they're only 4 bytes long and there are upto 7 of these per rule and... > Question 2: If I flush the rulesets, I do not seem to get this > kernel memory back. How can I determine if this is a NetBSD kernel issue > or an ipf issue? Hmm? If you flush and then load again, does it use another 80MB of memory or does the memory use seem to become capped? Darren
